fix: add missing route guards to issues pages (#2235)

* fix: users should always be able to view their own issues * fix: apply route guards to issues pages instead * fix(api): only allow users w/ issue perms to edit comments / delete issues
2025-09-17 17:24:35 +02:00 · 2021-10-31 11:56:59 -04:00
parent 3ec4a9c76e
commit c79dc9f70f
4 changed files with 75 additions and 28 deletions
--- a/server/routes/request.ts
+++ b/server/routes/request.ts
@@ -500,9 +500,26 @@ requestRoutes.get('/:requestId', async (req, res, next) => {
      relations: ['requestedBy', 'modifiedBy'],
    });

+    if (
+      request.requestedBy.id !== req.user?.id &&
+      !req.user?.hasPermission(
+        [Permission.MANAGE_REQUESTS, Permission.REQUEST_VIEW],
+        { type: 'or' }
+      )
+    ) {
+      return next({
+        status: 403,
+        message: 'You do not have permission to view this request.',
+      });
+    }
+
    return res.status(200).json(request);
  } catch (e) {
-    next({ status: 404, message: 'Request not found' });
+    logger.debug('Failed to retrieve request.', {
+      label: 'API',
+      errorMessage: e.message,
+    });
+    next({ status: 404, message: 'Request not found.' });
  }
 });