fix: fixes missed cases to validate user scope when downloading, streaming and actions (#3460)

2025-12-21 21:33:18 +01:00 · 2024-12-14 13:12:43 -08:00
parent f2e56f79b7
commit bd0a81f332
4 changed files with 82 additions and 3 deletions
--- a/internal/web/actions.go
+++ b/internal/web/actions.go
@@ -14,6 +14,17 @@ func (h *handler) containerActions(w http.ResponseWriter, r *http.Request) {
 	action := chi.URLParam(r, "action")
 	id := chi.URLParam(r, "id")

+	validIdMap, err := h.validContainerIDsForHost(r, hostKey(r))
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	if _, ok := validIdMap[id]; !ok {
+		http.Error(w, "container not found", http.StatusUnauthorized)
+		return
+	}
+
 	containerService, err := h.multiHostService.FindContainer(hostKey(r), id)
 	if err != nil {
 		log.Error().Err(err).Msg("error while trying to find container")