fix(backend): enforce imports page permissions

Author: ImShyMike

rustytime/Cargo.lock

@@ -1,7 +1,7 @@
 [package]
 name = "rustytime-server"
 description = "🕒 blazingly fast time tracking for developers"
-version = "0.15.0"
+version = "0.15.1"
 edition = "2024"
 authors = ["ImShyMike"]
 readme = "../README.md"

rustytime/Cargo.toml

@@ -207,13 +207,6 @@ pub fn create_app_router(
                         .tag("Pages")
                         .security_requirement("Authenticated")
                 }))
-                .api_route("/page/imports", get_with(admin_imports, |op| {
-                    op.id("admin_imports")
-                        .summary("Admin Imports Page")
-                        .description("Data for the admin imports page.")
-                        .tag("Pages")
-                        .security_requirement("Authenticated")
-                }))
                 .nest(
                     "/admin",
                     ApiRouter::new()
@@ -248,6 +241,21 @@ pub fn create_app_router(
                     middleware::require_admin,
                 )),
         )
+        // owner routes
+        .merge(
+            ApiRouter::new()
+                .api_route("/page/imports", get_with(admin_imports, |op| {
+                    op.id("admin_imports")
+                        .summary("Admin Imports Page")
+                        .description("Data for the admin imports page.")
+                        .tag("Pages")
+                        .security_requirement("Authenticated")
+                }))
+                .layer(axum_middleware::from_fn_with_state(
+                    app_state.clone(),
+                    middleware::require_owner,
+                )),
+        )
         // API routes
         .nest(
             "/api/v1",

rustytime/src/routes.rs

@@ -86,6 +86,44 @@ pub async fn require_admin(
     }
 }
 
+/// Middleware to require owner privileges
+pub async fn require_owner(
+    State(app_state): State<AppState>,
+    cookies: Cookies,
+    mut request: Request,
+    next: Next,
+) -> Response {
+    match SessionManager::resolve_session(&cookies, &app_state.db_pool).await {
+        Ok(Some(resolved)) => {
+            let is_owner = resolved.user.is_owner()
+                || resolved
+                    .impersonator
+                    .as_ref()
+                    .map(|admin| admin.is_owner())
+                    .unwrap_or(false);
+
+            if !is_owner {
+                return (StatusCode::FORBIDDEN, "Owner access required").into_response();
+            }
+
+            {
+                let extensions = request.extensions_mut();
+                extensions.insert(resolved.user.clone());
+                if let Some(admin) = resolved.impersonator.clone() {
+                    extensions.insert(ImpersonationContext { admin });
+                }
+            }
+
+            next.run(request).await
+        }
+        Ok(None) => {
+            // user is not authenticated
+            (StatusCode::UNAUTHORIZED, "Authentication required").into_response()
+        }
+        Err(_) => (StatusCode::INTERNAL_SERVER_ERROR, "Internal server error").into_response(),
+    }
+}
+
 /// Middleware to track request metrics
 #[inline(always)]
 pub async fn track_metrics(