Aaltronav/dougal-software
1
0
Fork 0
mirror of https://gitlab.com/wgp/dougal/software.git synced 2025-12-06 09:17:08 +00:00
Code Issues Packages Projects Releases Activity

Bypass permissions check on info.put() if role is null.

Browse Source 
The comparison is strict non-equality so a null role cannot
be forced via the API.

The need for this is so that we can reuse this function to
save QC results, which is something that does not take
place over the API.
This commit is contained in:
D. Berge
2022-03-07 21:17:56 +01:00
parent d3336c6cf7
commit 67f8b9c6dd
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/www/server/lib/db/info/put.js
View File

@@ -3,9 +3,9 @@ const checkPermission = require('./check-permission');
async function put (projectId, path, payload, opts = {}, role) {
const client = await setSurvey(projectId);
const [key, ...jsonpath] = (path||"").split("/").filter(i => i.length);
const [key, ...jsonpath] = (path??"").split("/").filter(i => i.length);
if (!checkPermission(key, "put", role)) {
if (role !== null && !checkPermission(key, "put", role)) {
throw {status: 403, message: "Forbidden"};
return;
}