From f10103d396fb9886ece2346163cd56dfe8d9e765 Mon Sep 17 00:00:00 2001 From: "D. Berge" Date: Sun, 6 Feb 2022 22:40:53 +0100 Subject: [PATCH] Enfore info key access restrictions on the API. Obviously, those keys can be edited freely at the database level. This is intended. --- lib/www/server/api/middleware/info/delete.js | 2 +- lib/www/server/api/middleware/info/get.js | 2 +- lib/www/server/api/middleware/info/post.js | 2 +- lib/www/server/api/middleware/info/put.js | 2 +- lib/www/server/lib/db/info/delete.js | 8 +++++++- lib/www/server/lib/db/info/get.js | 8 +++++++- lib/www/server/lib/db/info/post.js | 8 +++++++- lib/www/server/lib/db/info/put.js | 8 +++++++- 8 files changed, 32 insertions(+), 8 deletions(-) diff --git a/lib/www/server/api/middleware/info/delete.js b/lib/www/server/api/middleware/info/delete.js index 431dc20..047c951 100644 --- a/lib/www/server/api/middleware/info/delete.js +++ b/lib/www/server/api/middleware/info/delete.js @@ -4,7 +4,7 @@ const { info } = require('../../../lib/db'); module.exports = async function (req, res, next) { try { - await info.delete(req.params.project, req.params.path); + await info.delete(req.params.project, req.params.path, undefined, req.user.role); res.status(204).send(); next(); } catch (err) { diff --git a/lib/www/server/api/middleware/info/get.js b/lib/www/server/api/middleware/info/get.js index 195bfae..fe2a1d4 100644 --- a/lib/www/server/api/middleware/info/get.js +++ b/lib/www/server/api/middleware/info/get.js @@ -4,7 +4,7 @@ const { info } = require('../../../lib/db'); module.exports = async function (req, res, next) { try { - res.status(200).json(await info.get(req.params.project, req.params.path, req.query)); + res.status(200).json(await info.get(req.params.project, req.params.path, req.query, req.user.role)); } catch (err) { if (err instanceof TypeError) { res.status(404).json(null); diff --git a/lib/www/server/api/middleware/info/post.js b/lib/www/server/api/middleware/info/post.js index eaa26bb..b3514b0 100644 --- a/lib/www/server/api/middleware/info/post.js +++ b/lib/www/server/api/middleware/info/post.js @@ -6,7 +6,7 @@ module.exports = async function (req, res, next) { try { const payload = req.body; - await info.post(req.params.project, req.params.path, payload); + await info.post(req.params.project, req.params.path, payload, undefined, req.user.role); res.status(201).send(); next(); } catch (err) { diff --git a/lib/www/server/api/middleware/info/put.js b/lib/www/server/api/middleware/info/put.js index 6ab51ed..8e97347 100644 --- a/lib/www/server/api/middleware/info/put.js +++ b/lib/www/server/api/middleware/info/put.js @@ -6,7 +6,7 @@ module.exports = async function (req, res, next) { try { const payload = req.body; - await info.put(req.params.project, req.params.path, payload); + await info.put(req.params.project, req.params.path, payload, undefined, req.user.role); res.status(201).send(); next(); } catch (err) { diff --git a/lib/www/server/lib/db/info/delete.js b/lib/www/server/lib/db/info/delete.js index 38139b4..d0b0c6f 100644 --- a/lib/www/server/lib/db/info/delete.js +++ b/lib/www/server/lib/db/info/delete.js @@ -1,9 +1,15 @@ const { setSurvey, transaction } = require('../connection'); +const checkPermission = require('./check-permission'); -async function del (projectId, path, opts = {}) { +async function del (projectId, path, opts = {}, role) { const client = await setSurvey(projectId); const [key, ...jsonpath] = (path||"").split("/").filter(i => i.length); + if (!checkPermission(key, "delete", role)) { + throw {status: 403, message: "Forbidden"}; + return; + } + try { const text = jsonpath.length ? ` diff --git a/lib/www/server/lib/db/info/get.js b/lib/www/server/lib/db/info/get.js index 1cc562c..867b47c 100644 --- a/lib/www/server/lib/db/info/get.js +++ b/lib/www/server/lib/db/info/get.js @@ -1,9 +1,15 @@ const { setSurvey } = require('../connection'); +const checkPermission = require('./check-permission'); -async function get (projectId, path, opts = {}) { +async function get (projectId, path, opts = {}, role) { const client = await setSurvey(projectId); const [key, ...subkey] = path.split("/").filter(i => i.trim().length); + if (!checkPermission(key, "get", role)) { + throw {status: 403, message: "Forbidden"}; + return; + } + const text = ` SELECT value FROM info diff --git a/lib/www/server/lib/db/info/post.js b/lib/www/server/lib/db/info/post.js index 3aefed8..e9b79a7 100644 --- a/lib/www/server/lib/db/info/post.js +++ b/lib/www/server/lib/db/info/post.js @@ -1,9 +1,15 @@ const { setSurvey, transaction } = require('../connection'); +const checkPermission = require('./check-permission'); -async function post (projectId, path, payload, opts = {}) { +async function post (projectId, path, payload, opts = {}, role) { const client = await setSurvey(projectId); const [key, ...jsonpath] = (path||"").split("/").filter(i => i.length); + if (!checkPermission(key, "post", role)) { + throw {status: 403, message: "Forbidden"}; + return; + } + try { const text = jsonpath.length ? ` diff --git a/lib/www/server/lib/db/info/put.js b/lib/www/server/lib/db/info/put.js index 383d0d4..b65963b 100644 --- a/lib/www/server/lib/db/info/put.js +++ b/lib/www/server/lib/db/info/put.js @@ -1,9 +1,15 @@ const { setSurvey, transaction } = require('../connection'); +const checkPermission = require('./check-permission'); -async function put (projectId, path, payload, opts = {}) { +async function put (projectId, path, payload, opts = {}, role) { const client = await setSurvey(projectId); const [key, ...jsonpath] = (path||"").split("/").filter(i => i.length); + if (!checkPermission(key, "put", role)) { + throw {status: 403, message: "Forbidden"}; + return; + } + try { const text = jsonpath.length ? `