shpaq/sct-overseerr
1
0
Fork 0
mirror of https://github.com/sct/overseerr.git synced 2025-09-17 17:24:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: add missing route guards to issues pages (#2235)

Browse Source 
* fix: users should always be able to view their own issues

* fix: apply route guards to issues pages instead

* fix(api): only allow users w/ issue perms to edit comments / delete issues
This commit is contained in:
TheCatLady
2021-10-31 11:56:59 -04:00
committed by GitHub
parent 3ec4a9c76e
commit c79dc9f70f
4 changed files with 75 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
server/routes/issue.ts
View File

@@ -68,7 +68,7 @@ issueRoutes.get<Record<string, string>, IssueResultsResponse>(
return next({ return next({
status: 403, status: 403,
message: message:
'You do not have permission to view issues created by other users', 'You do not have permission to view issues reported by other users',
}); });
} }
query = query.andWhere('createdBy.id = :id', { id: req.user?.id }); query = query.andWhere('createdBy.id = :id', { id: req.user?.id });
@@ -291,7 +291,12 @@ issueRoutes.post<{ issueId: string; status: string }, Issue>(
} }
); );
issueRoutes.delete('/:issueId', async (req, res, next) => { issueRoutes.delete(
'/:issueId',
isAuthenticated([Permission.MANAGE_ISSUES, Permission.CREATE_ISSUES], {
type: 'or',
}),
async (req, res, next) => {
const issueRepository = getRepository(Issue); const issueRepository = getRepository(Issue);
try { try {
@@ -320,6 +325,7 @@ issueRoutes.delete('/:issueId', async (req, res, next) => {
}); });
next({ status: 404, message: 'Issue not found.' }); next({ status: 404, message: 'Issue not found.' });
} }
}); }
);
export default issueRoutes; export default issueRoutes;

19
server/routes/request.ts
View File

@@ -500,9 +500,26 @@ requestRoutes.get('/:requestId', async (req, res, next) => {
relations: ['requestedBy', 'modifiedBy'], relations: ['requestedBy', 'modifiedBy'],
}); });
if (
request.requestedBy.id !== req.user?.id &&
!req.user?.hasPermission(
[Permission.MANAGE_REQUESTS, Permission.REQUEST_VIEW],
{ type: 'or' }
)
) {
return next({
status: 403,
message: 'You do not have permission to view this request.',
});
}
return res.status(200).json(request); return res.status(200).json(request);
} catch (e) { } catch (e) {
next({ status: 404, message: 'Request not found' }); logger.debug('Failed to retrieve request.', {
label: 'API',
errorMessage: e.message,
});
next({ status: 404, message: 'Request not found.' });
} }
}); });

12
src/pages/issues/[issueId]/index.tsx
View File

@@ -1,8 +1,20 @@
import { NextPage } from 'next'; import { NextPage } from 'next';
import React from 'react'; import React from 'react';
import IssueDetails from '../../../components/IssueDetails'; import IssueDetails from '../../../components/IssueDetails';
import useRouteGuard from '../../../hooks/useRouteGuard';
import { Permission } from '../../../hooks/useUser';
const IssuePage: NextPage = () => { const IssuePage: NextPage = () => {
useRouteGuard(
[
Permission.MANAGE_ISSUES,
Permission.CREATE_ISSUES,
Permission.VIEW_ISSUES,
],
{
type: 'or',
}
);
return <IssueDetails />; return <IssueDetails />;
}; };

12
src/pages/issues/index.tsx
View File

@@ -1,8 +1,20 @@
import { NextPage } from 'next'; import { NextPage } from 'next';
import React from 'react'; import React from 'react';
import IssueList from '../../components/IssueList'; import IssueList from '../../components/IssueList';
import useRouteGuard from '../../hooks/useRouteGuard';
import { Permission } from '../../hooks/useUser';
const IssuePage: NextPage = () => { const IssuePage: NextPage = () => {
useRouteGuard(
[
Permission.MANAGE_ISSUES,
Permission.CREATE_ISSUES,
Permission.VIEW_ISSUES,
],
{
type: 'or',
}
);
return <IssueList />; return <IssueList />;
}; };