Fix: Server throws "User Does not have permission to access this" occ…

…asionally (arrow flight endpoint) (#847) reload active sessions in the do_get call to get the permissions of all available users
parseablehq · Jul 11, 2024 · 5133d1b · 5133d1b
1 parent a498604
commit 5133d1b
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/server/src/handlers/airplane.rs b/server/src/handlers/airplane.rs
@@ -60,6 +60,7 @@ use tonic::{Request, Response, Status, Streaming};
 
 use crate::handlers::livetail::extract_session_key;
 use crate::metadata::STREAM_INFO;
+use crate::rbac;
 use crate::rbac::Users;
 
 use super::http::query::get_results_from_cache;
@@ -231,6 +232,20 @@ impl FlightService for AirServiceImpl {
             } else {
                 None
             };
+
+        // try authorize
+        match Users.authorize(key.clone(), rbac::role::Action::Query, None, None) {
+            rbac::Response::Authorized => (),
+            rbac::Response::UnAuthorized => {
+                return Err(Status::permission_denied(
+                    "user is not authenticated to access this resource",
+                ))
+            }
+            rbac::Response::ReloadRequired => {
+                return Err(Status::unauthenticated("reload required"))
+            }
+        }
+
         let permissions = Users.get_permissions(&key);
 
         authorize_and_set_filter_tags(&mut query, permissions, &stream_name).map_err(|_| {