client/web: move API permission checks into handlers (#19576)

There are only a couple endpoints that check peer capabilities. Keeping permission checks with the code that assumes they were performed, rather than with the routing layer, feels easier to reason about. Check that the caller is actually a peer and pass their capabilities via a context value for handlers that want to check them. Along with this, simplify the helper handler wrappers that are not needed for most of the endpoints. Updates #40851 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2026-05-01 09:01:53 -07:00
parent bbcb8650d4
commit f15a4f4416
7 changed files with 104 additions and 125 deletions
@@ -404,7 +404,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/tstime                                         from tailscale.com/control/controlclient+
        tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
-        tailscale.com/tsweb                                          from tailscale.com/util/eventbus
+        tailscale.com/tsweb                                          from tailscale.com/util/eventbus+
        tailscale.com/tsweb/varz                                     from tailscale.com/cmd/tailscaled+
        tailscale.com/types/appctype                                 from tailscale.com/ipn/ipnlocal+
        tailscale.com/types/bools                                    from tailscale.com/wgengine/netlog