From 2ab8a24c188a2ba39424eb7925bc7ff3fb767bfb Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Thu, 19 Mar 2026 21:51:44 +0200
Subject: task 261: harden server reads with OpenRoot

---
 internal/server/handlers/readcommand_server.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'internal/server/handlers/readcommand_server.go')

diff --git a/internal/server/handlers/readcommand_server.go b/internal/server/handlers/readcommand_server.go
index 8c3cb96..0f98a58 100644
--- a/internal/server/handlers/readcommand_server.go
+++ b/internal/server/handlers/readcommand_server.go
@@ -4,6 +4,7 @@ import (
 	"sync/atomic"
 	"time"
 
+	"github.com/mimecast/dtail/internal/io/fs"
 	"github.com/mimecast/dtail/internal/io/line"
 	"github.com/mimecast/dtail/internal/mapr/server"
 )
@@ -13,7 +14,7 @@ type readCommandContext interface {
 }
 
 type readCommandFiles interface {
-	CanReadFile(path string) bool
+	PrepareReadTarget(path string) (fs.ValidatedReadTarget, bool)
 	CatLimiter() chan struct{}
 	TailLimiter() chan struct{}
 }
@@ -87,9 +88,9 @@ func (h *ServerHandler) SendServerMessage(message string) {
 	h.sendln(h.serverMessages, message)
 }
 
-// CanReadFile reports whether the current user can read the given path.
-func (h *ServerHandler) CanReadFile(path string) bool {
-	return h.user.HasFilePermission(path, "readfiles")
+// PrepareReadTarget validates the current user's access to the given path.
+func (h *ServerHandler) PrepareReadTarget(path string) (fs.ValidatedReadTarget, bool) {
+	return h.user.ValidateReadTarget(path, "readfiles")
 }
 
 // ServerMessagesChannel returns the server message channel.
-- 
cgit v1.2.3