MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update builder and authorized middleware to be more strict towards unauthenticated (#9774) 

* Update builder and authorized middleware to be more strict towards unauthenticated

* Remove unnecessary variable
This commit is contained in:
Rory Powell 2023-02-22 13:39:31 +00:00 committed by GitHub
parent ca90993d44
commit 6c7d6a3caa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
packages/server/src/middleware/authorized.ts
View File

@ -79,10 +79,6 @@ export default (
return ctx.throw(403, "No user info found") return ctx.throw(403, "No user info found")
} }
// check general builder stuff, this middleware is a good way
// to find API endpoints which are builder focused
await builderMiddleware(ctx, permType)
// get the resource roles // get the resource roles
let resourceRoles: any = [] let resourceRoles: any = []
let otherLevelRoles: any = [] let otherLevelRoles: any = []
@ -112,6 +108,12 @@ export default (
return ctx.throw(403, "Session not authenticated") return ctx.throw(403, "Session not authenticated")
} }
// check general builder stuff, this middleware is a good way
// to find API endpoints which are builder focused
if (permType === permissions.PermissionType.BUILDER) {
await builderMiddleware(ctx)
}
try { try {
// check authorized // check authorized
await checkAuthorized(ctx, resourceRoles, permType, permLevel) await checkAuthorized(ctx, resourceRoles, permType, permLevel)

11
packages/server/src/middleware/builder.ts
View File

@ -64,13 +64,18 @@ async function updateAppUpdatedAt(ctx: BBContext) {
}) })
} }
export default async function builder(ctx: BBContext, permType: string) { export default async function builder(ctx: BBContext) {
const appId = ctx.appId const appId = ctx.appId
// this only functions within an app context // this only functions within an app context
if (!appId) { if (!appId) {
return return
} }
const isBuilderApi = permType === permissions.PermissionType.BUILDER
// check authenticated
if (!ctx.isAuthenticated) {
return ctx.throw(403, "Session not authenticated")
}
const referer = ctx.headers["referer"] const referer = ctx.headers["referer"]
const overviewPath = "/builder/portal/overview/" const overviewPath = "/builder/portal/overview/"
@ -82,7 +87,7 @@ export default async function builder(ctx: BBContext, permType: string) {
const hasAppId = !referer ? false : referer.includes(appId) const hasAppId = !referer ? false : referer.includes(appId)
const editingApp = referer ? hasAppId : false const editingApp = referer ? hasAppId : false
// check this is a builder call and editing // check this is a builder call and editing
if (!isBuilderApi || !editingApp) { if (!editingApp) {
return return
} }
// check locks // check locks