Akshay Bharambe · Ajit Jagtap · 7ee01440
--- a/routebuildermdl/routebuildermdl.go

+ 16

− 0
+++ b/routebuildermdl/routebuildermdl.go

+ 16

− 0
 @@ -40,6 +40,10 @@ func executeService(name string, data []byte, isRestricted, isRoleBased, heavyDa
 	if isRestricted {
 		if isRoleBased {
 			service, found = roleBasedServices.Get(name)
+			if !validateRoleFromToken(principalObj, service.(ServiceCache)) {
+				loggermdl.LogError("INVALID_ACTOR: " + name)
+				return nil, nextDynamicPage, ab, isCompressed, errormdl.SERVICENOTFOUND, errormdl.Wrap("INVALID_ACTOR: " + name)
+			}
 		} else {
 			service, found = restrictedServices.Get(name)
 		}
 @@ -99,6 +103,18 @@ func executeService(name string, data []byte, isRestricted, isRoleBased, heavyDa
 	return result, nextDynamicPage, ab, isCompressed, errormdl.EXPECTATIONFAILED, serviceError
 }

+func validateRoleFromToken(principalObj servicebuildermdl.Principal, service ServiceCache) bool {
+	// check if group from request is present in groups associated with the service.
+	for _, g := range service.Groups {
+		for _, tokenGroup := range principalObj.Groups {
+			if g == tokenGroup {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func (s ServiceCache) preHooksExec(rs *gjson.Result, principalObj *servicebuildermdl.Principal) {
 	for i := 0; i < len(s.PreHooks); i++ {
 		var service interface{}