From 5ca00bca22db24fffe312f2eddcff568f0bef720 Mon Sep 17 00:00:00 2001
From: LTLA <infinite.monkeys.with.keyboards@gmail.com>
Date: Thu, 17 Oct 2024 23:55:51 -0700
Subject: [PATCH] Protect against missing permissions field.

---
 permissions.go      | 4 ++++
 permissions_test.go | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/permissions.go b/permissions.go
index 7449565..2b8ce22 100644
--- a/permissions.go
+++ b/permissions.go
@@ -208,6 +208,10 @@ func setPermissionsHandler(reqpath string, globals *globalConfiguration) error {
         if err != nil {
             return newHttpError(http.StatusBadRequest, fmt.Errorf("invalid 'project' property in %q; %w", reqpath, err))
         }
+
+        if incoming.Permissions == nil {
+            return newHttpError(http.StatusBadRequest, fmt.Errorf("expected a 'permissions' object in %q", reqpath))
+        }
     }
 
     source_user, err := identifyUser(reqpath)
diff --git a/permissions_test.go b/permissions_test.go
index 6e611b8..e16d34b 100644
--- a/permissions_test.go
+++ b/permissions_test.go
@@ -392,7 +392,7 @@ func TestSetPermissionsHandlerHandler(t *testing.T) {
 
         reqpath, err := dumpRequest(
             "set_permissions",
-            fmt.Sprintf(`{ "project": "%s" }`, project),
+            fmt.Sprintf(`{ "project": "%s", "permissions": {} }`, project),
         )
         if err != nil {
             t.Fatalf("failed to dump a request type; %v", err)