Internal Server Error when posting a permission while being authenticated with another permission #367
Description
What version of ReactiveSearch API are you using ?
8.9.0
What issue did you run into?
- Create a permission (API Credentials) with a read-write access to the "permissions" category.
- Use the credentials of the just created permission in HTTP Basic Auth to send a
POST /_permissionrequest, trying to create another permission object.
What did you expect to see?
A created permission.
What did you see instead?
Internal server error saying "*user.User" not found in request context.
From what I was able to find in the code as a non-Go developer, looks like the user is being read from the context right here for the only purpose to check if it's admin or not, which decides the permission's default settings. And if the user not found, the error is being thrown.
Looking at the auth middleware I can see it being assigned only when the request is authenticated on behalf of a user. When you use API Credentials to authenticate the request, the permission is being assigned to the context instead.
I haven't found anywhere in the documentation that you can only create permissions when authenticated as a user. So I think it's a bug.
Would it be possible to fix it by assuming the user is not an admin if the request is authenticated with the API Credentials?