0

For each user, the Beego app creates a directory under /static/users/ in the form of: /static/users/USER_ID/private and /static/users/USER_ID/public, where USER_ID the ID of each user.

I want to protect the private files so that only the user owning them to be able to access with the use of Filters.

The pattern in router is the following:

beego.InsertFilter("/static/users/:userId([0-9]+)/private/*", beego.BeforeRouter, controllers.ProtectPrivateUploads)

and the filter function is the following:

var ProtectPrivateUploads = func(ctx *context.Context) { fmt.Println("Protecting content") }

the relevant URL has the following form:

domain.com/static/users/USERID/private/123135645.png

The problem is that the filter function does not get called at all so I am assuming that I must have done something wrong with the pattern in the router.

Any ideas would be welcomed.

Stef K
  • 469
  • 8
  • 13

1 Answers1

2

It seems that there is another point of insert for filters beego.BeforeStatic but it is not documented at http://beego.me/docs/mvc/controller/filter.md

by looking the code at https://github.com/astaxie/beego/blob/master/router.go, these are the accepted positions when one can trigger the filter:

const (
    // default filter execution points
    BeforeStatic = iota
    BeforeRouter
    BeforeExec
    AfterExec
    FinishRouter
)

so a valid call in order to trigger a filter for static files could be:

beego.InsertFilter("/static/users/:userId([0-9]+)/private/*", beego.BeforeStatic, controllers.ProtectPrivateUploads)

Update

The session object for the beego.BeforeRouter router position can be obtained using the following function:

sess,_ := beego.GlobalSessions.SessionStart(ctx.ResponseWriter, ctx.Request)

as a result a valid router and filter to protect content under /static/ url would be:

router:

beego.InsertFilter("/static/users/:id([0-9]+)/private/*", beego.BeforeStatic, controllers.ProtectPrivateUploads)

filter:

var ProtectPrivateUploads = func(ctx *context.Context) {
    sess,_ := beego.GlobalSessions.SessionStart(ctx.ResponseWriter, ctx.Request)
    defer sess.SessionRelease(ctx.ResponseWriter)
    ses := sess.Get("sessionid")
    if ses != nil {
       // get user's id from the session and check if the user can access the requested URL
}
Stef K
  • 469
  • 8
  • 13