feat: allow admins to rename and move items of other users and fix ownership security vulnerability

Author: Kirari04

controllers/MoveItemsController.go

@@ -15,11 +15,15 @@ func MoveItems(c echo.Context) error {
 		return c.String(status, err.Error())
 	}
 
+	// Determine admin status
+	isAdmin, _ := c.Get("Admin").(bool)
+
 	status, err := logic.MoveItems(
 		c.Get("UserID").(uint),
 		moveValidation.ParentFolderID,
 		moveValidation.FolderIDs,
 		moveValidation.LinkIDs,
+		isAdmin,
 	)
 	if err != nil {
 		return c.String(status, err.Error())

controllers/UpdateFileController.go

@@ -23,10 +23,22 @@ func UpdateFile(c echo.Context) error {
 		return c.String(http.StatusBadRequest, "File doesn't exist")
 	}
 
+	// Verify ownership
+	userID := c.Get("UserID").(uint)
+	isAdmin, _ := c.Get("Admin").(bool)
+	if !isAdmin && dbLink.UserID != userID {
+		return c.String(http.StatusForbidden, "Unauthorized access to file")
+	}
+
 	if linkValidation.ParentFolderID > 0 {
-		if res := inits.DB.First(&models.Folder{}, linkValidation.ParentFolderID); res.Error != nil {
+		var targetParent models.Folder
+		if res := inits.DB.First(&targetParent, linkValidation.ParentFolderID); res.Error != nil {
 			return c.String(http.StatusBadRequest, "Parent folder doesn't exist")
 		}
+
+		if !isAdmin && targetParent.UserID != userID {
+			return c.String(http.StatusForbidden, "Unauthorized access to target parent folder")
+		}
 	}
 
 	//update link data

controllers/UpdateFolderController.go

@@ -30,16 +30,28 @@ func UpdateFolder(c echo.Context) error {
 		return c.String(http.StatusBadRequest, "Folder doesn't exist")
 	}
 
+	// Verify ownership
+	userID := c.Get("UserID").(uint)
+	isAdmin, _ := c.Get("Admin").(bool)
+	if !isAdmin && dbFolder.UserID != userID {
+		return c.String(http.StatusForbidden, "Unauthorized access to folder")
+	}
+
 	/*
 		check if ParentfolderID aint root folder (=0)
 		check if requested parent folder id exists
 		TODO: also check if the new parent folder is not a child of current folder or the folder itself
 	*/
 	if folderValidation.ParentFolderID > 0 {
-		if res := inits.DB.First(&models.Folder{}, folderValidation.ParentFolderID); res.Error != nil {
+		var targetParent models.Folder
+		if res := inits.DB.First(&targetParent, folderValidation.ParentFolderID); res.Error != nil {
 			return c.String(http.StatusBadRequest, "Parent folder doesn't exist")
 		}
 
+		if !isAdmin && targetParent.UserID != userID {
+			return c.String(http.StatusForbidden, "Unauthorized access to target parent folder")
+		}
+
 		// if the new parent folder is inside the current folder we return an
 		// error so the folders wont be in an infinite loop
 		containsFolder, err := helpers.FolderContainsFolder(dbFolder.ID, dbFolder.ParentFolderID)

logic/MoveItems.go

@@ -8,7 +8,7 @@ import (
 	"net/http"
 )
 
-func MoveItems(userId uint, targetFolderId uint, folderIds []uint, linkIds []uint) (int, error) {
+func MoveItems(userId uint, targetFolderId uint, folderIds []uint, linkIds []uint, isAdmin bool) (int, error) {
 	// check if at least one item is being moved
 	if len(folderIds) == 0 && len(linkIds) == 0 {
 		return http.StatusBadRequest, errors.New("no items selected to move")
@@ -20,7 +20,7 @@ func MoveItems(userId uint, targetFolderId uint, folderIds []uint, linkIds []uin
 		if res := inits.DB.First(&targetFolder, targetFolderId); res.Error != nil {
 			return http.StatusBadRequest, errors.New("target folder doesn't exist")
 		}
-		if targetFolder.UserID != userId {
+		if !isAdmin && targetFolder.UserID != userId {
 			return http.StatusForbidden, errors.New("unauthorized access to target folder")
 		}
 	}
@@ -36,8 +36,8 @@ func MoveItems(userId uint, targetFolderId uint, folderIds []uint, linkIds []uin
 		if res := inits.DB.First(&folder, folderId); res.Error != nil {
 			return http.StatusBadRequest, errors.New("folder to move not found")
 		}
-		
-		if folder.UserID != userId {
+
+		if !isAdmin && folder.UserID != userId {
 			return http.StatusForbidden, errors.New("unauthorized access to folder")
 		}
 
@@ -64,8 +64,8 @@ func MoveItems(userId uint, targetFolderId uint, folderIds []uint, linkIds []uin
 		if res := inits.DB.First(&link, linkId); res.Error != nil {
 			return http.StatusBadRequest, errors.New("file to move not found")
 		}
-		
-		if link.UserID != userId {
+
+		if !isAdmin && link.UserID != userId {
 			return http.StatusForbidden, errors.New("unauthorized access to file")
 		}