auth dump route (#707)

MarinPostma · web-flow · commit 578e37324cde · 2023-09-26T17:00:21.000Z
diff --git a/sqld/src/auth.rs b/sqld/src/auth.rs
@@ -219,7 +219,7 @@ impl Authenticated {
 
     pub fn is_namespace_authorized(&self, namespace: &NamespaceName) -> bool {
         match self {
-            Authenticated::Anonymous => true,
+            Authenticated::Anonymous => false,
             Authenticated::Authorized(Authorized {
                 namespace: Some(ns),
                 ..
@@ -230,6 +230,14 @@ impl Authenticated {
             }) => true,
         }
     }
+
+    /// Returns `true` if the authenticated is [`Anonymous`].
+    ///
+    /// [`Anonymous`]: Authenticated::Anonymous
+    #[must_use]
+    pub fn is_anonymous(&self) -> bool {
+        matches!(self, Self::Anonymous)
+    }
 }
 
 #[derive(Debug)]
diff --git a/sqld/src/http/user/dump.rs b/sqld/src/http/user/dump.rs
@@ -7,6 +7,7 @@ use futures::StreamExt;
 use hyper::HeaderMap;
 use pin_project_lite::pin_project;
 
+use crate::auth::Authenticated;
 use crate::connection::dump::exporter::export_dump;
 use crate::error::Error;
 use crate::namespace::MakeNamespace;
@@ -72,16 +73,21 @@ where
 }
 
 pub(super) async fn handle_dump<F: MakeNamespace>(
+    auth: Authenticated,
     AxumState(state): AxumState<AppState<F>>,
     headers: HeaderMap,
-) -> Result<axum::body::StreamBody<impl futures::Stream<Item = Result<bytes::Bytes, Error>>>, Error>
+) -> crate::Result<axum::body::StreamBody<impl futures::Stream<Item = Result<bytes::Bytes, Error>>>>
 {
     let namespace = namespace_from_headers(
         &headers,
         state.disable_default_namespace,
         state.disable_namespaces,
     )?;
 
+    if !auth.is_namespace_authorized(&namespace) | auth.is_anonymous() {
+        return Err(Error::NamespaceDoesntExist(namespace.to_string()));
+    }
+
     let db_path = state.path.join("dbs").join(namespace.as_str()).join("data");
 
     let connection = rusqlite::Connection::open(db_path)?;
