From fa98a0b0cb72e71b7d5310161b373f1ee3bd9452 Mon Sep 17 00:00:00 2001
From: Gisle Aune <dev@gisle.me>
Date: Thu, 7 Mar 2019 21:03:43 +0100
Subject: [PATCH] LightController: Added missing permission checks.

---
 controllers/light-controller.go     | 12 ++++++++++--
 database/sqlite/group-repository.go |  2 +-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/controllers/light-controller.go b/controllers/light-controller.go
index 42674b8..12bd1a9 100644
--- a/controllers/light-controller.go
+++ b/controllers/light-controller.go
@@ -90,6 +90,12 @@ func (c *LightController) updateLight(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	user := models.UserFromContext(r.Context())
+	if !group.Permission(user.ID).Write {
+		httperr.Respond(w, httperr.ErrAccessDenied)
+		return
+	}
+
 	if patch.Color != nil {
 		err := light.SetColor(*patch.Color)
 		if err != nil {
@@ -117,8 +123,6 @@ func (c *LightController) updateLight(w http.ResponseWriter, r *http.Request) {
 		light.On = *patch.On
 	}
 	if patch.GroupID != nil && *patch.GroupID != light.GroupID {
-		user := models.UserFromContext(r.Context())
-
 		if !group.Permission(user.ID).Delete {
 			respond.Error(w, 403, "cannot_move_out", "You are not permitted to delete lights from group.")
 			return
@@ -182,6 +186,10 @@ func (c *LightController) findLight(r *http.Request) (models.Group, models.Light
 		return models.Group{}, models.Light{}, err
 	}
 
+	if !group.Permission(user.ID).Read {
+		return models.Group{}, models.Light{}, httperr.ErrAccessDenied
+	}
+
 	if !group.Permission(user.ID).Read {
 		return models.Group{}, models.Light{}, &httperr.Error{Status: http.StatusForbidden, Kind: "permission_denied", Message: "Thou canst not see the light."}
 	}
diff --git a/database/sqlite/group-repository.go b/database/sqlite/group-repository.go
index 1505bcd..b773ace 100644
--- a/database/sqlite/group-repository.go
+++ b/database/sqlite/group-repository.go
@@ -52,7 +52,7 @@ func (r *groupRepository) FindByLight(ctx context.Context, light models.Light) (
 
 func (r *groupRepository) List(ctx context.Context) ([]models.Group, error) {
 	groups := make([]models.Group, 0, 16)
-	err := db.SelectContext(ctx, &groups, "SELECT * FROM group")
+	err := db.SelectContext(ctx, &groups, "SELECT * FROM `group`")
 	if err != nil {
 		return nil, err
 	}