From 2ccdb8b238a9820525527b1a0abd6faec15d481d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mike=20Schw=C3=B6rer?= <pubgit@mikescher.com>
Date: Wed, 12 Jun 2024 00:43:07 +0200
Subject: [PATCH] Lock /preview/* routes behind Any-Auth

---
 scnserver/api/handler/apiPreview.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/scnserver/api/handler/apiPreview.go b/scnserver/api/handler/apiPreview.go
index 3461ab9..b9ae61f 100644
--- a/scnserver/api/handler/apiPreview.go
+++ b/scnserver/api/handler/apiPreview.go
@@ -37,6 +37,10 @@ func (h APIHandler) GetUserPreview(g *gin.Context) ginresp.HTTPResponse {
 	}
 	defer ctx.Cancel()
 
+	if permResp := ctx.CheckPermissionAny(); permResp != nil {
+		return *permResp
+	}
+
 	user, err := h.database.GetUser(ctx, u.UserID)
 	if errors.Is(err, sql.ErrNoRows) {
 		return ginresp.APIError(g, 404, apierr.USER_NOT_FOUND, "User not found", err)
@@ -76,6 +80,10 @@ func (h APIHandler) GetChannelPreview(g *gin.Context) ginresp.HTTPResponse {
 	}
 	defer ctx.Cancel()
 
+	if permResp := ctx.CheckPermissionAny(); permResp != nil {
+		return *permResp
+	}
+
 	channel, err := h.database.GetChannelByID(ctx, u.ChannelID)
 	if errors.Is(err, sql.ErrNoRows) {
 		return ginresp.APIError(g, 404, apierr.CHANNEL_NOT_FOUND, "Channel not found", err)
@@ -115,6 +123,10 @@ func (h APIHandler) GetUserKeyPreview(g *gin.Context) ginresp.HTTPResponse {
 	}
 	defer ctx.Cancel()
 
+	if permResp := ctx.CheckPermissionAny(); permResp != nil {
+		return *permResp
+	}
+
 	keytoken, err := h.database.GetKeyToken(ctx, u.UserID, u.KeyID)
 	if errors.Is(err, sql.ErrNoRows) {
 		return ginresp.APIError(g, 404, apierr.KEY_NOT_FOUND, "Key not found", err)