LightController: Added missing permission checks.

controllers/light-controller.go

@@ -90,6 +90,12 @@ func (c *LightController) updateLight(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	user := models.UserFromContext(r.Context())
+	if !group.Permission(user.ID).Write {
+		httperr.Respond(w, httperr.ErrAccessDenied)
+		return
+	}
+
 	if patch.Color != nil {
 		err := light.SetColor(*patch.Color)
 		if err != nil {
@@ -117,8 +123,6 @@ func (c *LightController) updateLight(w http.ResponseWriter, r *http.Request) {
 		light.On = *patch.On
 	}
 	if patch.GroupID != nil && *patch.GroupID != light.GroupID {
-		user := models.UserFromContext(r.Context())
-
 		if !group.Permission(user.ID).Delete {
 			respond.Error(w, 403, "cannot_move_out", "You are not permitted to delete lights from group.")
 			return
@@ -182,6 +186,10 @@ func (c *LightController) findLight(r *http.Request) (models.Group, models.Light
 		return models.Group{}, models.Light{}, err
 	}
 
+	if !group.Permission(user.ID).Read {
+		return models.Group{}, models.Light{}, httperr.ErrAccessDenied
+	}
+
 	if !group.Permission(user.ID).Read {
 		return models.Group{}, models.Light{}, &httperr.Error{Status: http.StatusForbidden, Kind: "permission_denied", Message: "Thou canst not see the light."}
 	}

database/sqlite/group-repository.go

@@ -52,7 +52,7 @@ func (r *groupRepository) FindByLight(ctx context.Context, light models.Light) (
 
 func (r *groupRepository) List(ctx context.Context) ([]models.Group, error) {
 	groups := make([]models.Group, 0, 16)
-	err := db.SelectContext(ctx, &groups, "SELECT * FROM group")
+	err := db.SelectContext(ctx, &groups, "SELECT * FROM `group`")
 	if err != nil {
 		return nil, err
 	}