MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update builder and authorized middleware to be more strict towards unauthenticated (#9774) 

* Update builder and authorized middleware to be more strict towards unauthenticated

* Remove unnecessary variable
This commit is contained in:
Rory Powell 2023-02-22 13:39:31 +00:00 committed by GitHub
parent e04c72331e
commit 4b85583f5f
2 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
packages/server/src/middleware/authorized.ts
View File

@ -79,10 +79,6 @@ export default (
return ctx.throw(403, "No user info found")
}
// check general builder stuff, this middleware is a good way
// to find API endpoints which are builder focused
await builderMiddleware(ctx, permType)
// get the resource roles
let resourceRoles: any = []
let otherLevelRoles: any = []
@ -112,6 +108,12 @@ export default (
return ctx.throw(403, "Session not authenticated")
}
// check general builder stuff, this middleware is a good way
// to find API endpoints which are builder focused
if (permType === permissions.PermissionType.BUILDER) {
await builderMiddleware(ctx)
}
try {
// check authorized
await checkAuthorized(ctx, resourceRoles, permType, permLevel)

11
packages/server/src/middleware/builder.ts
View File

@ -64,13 +64,18 @@ async function updateAppUpdatedAt(ctx: BBContext) {
})
}
export default async function builder(ctx: BBContext, permType: string) {
export default async function builder(ctx: BBContext) {
const appId = ctx.appId
// this only functions within an app context
if (!appId) {
return
}
const isBuilderApi = permType === permissions.PermissionType.BUILDER
// check authenticated
if (!ctx.isAuthenticated) {
return ctx.throw(403, "Session not authenticated")
}
const referer = ctx.headers["referer"]
const overviewPath = "/builder/portal/overview/"
@ -82,7 +87,7 @@ export default async function builder(ctx: BBContext, permType: string) {
const hasAppId = !referer ? false : referer.includes(appId)
const editingApp = referer ? hasAppId : false
// check this is a builder call and editing
if (!isBuilderApi || !editingApp) {
if (!editingApp) {
return
}
// check locks