From c6a6d49cd74cc665d05f3cd3cc0dba60aadd0f01 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Fri, 21 May 2021 16:43:01 +0100 Subject: [PATCH] Updating administration middleware so that internal requests allowed through automatically. --- packages/auth/src/middleware/authenticated.js | 1 + .../builder/portal/manage/users/index.svelte | 2 ++ packages/worker/src/api/routes/admin/email.js | 2 ++ packages/worker/src/api/routes/admin/users.js | 19 ++++++++++--------- packages/worker/src/middleware/adminOnly.js | 2 +- 5 files changed, 16 insertions(+), 10 deletions(-) diff --git a/packages/auth/src/middleware/authenticated.js b/packages/auth/src/middleware/authenticated.js index 34ed0ec186..5d9056b19a 100644 --- a/packages/auth/src/middleware/authenticated.js +++ b/packages/auth/src/middleware/authenticated.js @@ -43,6 +43,7 @@ module.exports = (noAuthPatterns = [], opts) => { // this is an internal request, no user made it if (apiKey && apiKey === env.INTERNAL_API_KEY) { ctx.isAuthenticated = true + ctx.internal = true } else if (authCookie) { try { const db = database.getDB(StaticDatabases.GLOBAL.name) diff --git a/packages/builder/src/pages/builder/portal/manage/users/index.svelte b/packages/builder/src/pages/builder/portal/manage/users/index.svelte index d88577c91b..0c136574d7 100644 --- a/packages/builder/src/pages/builder/portal/manage/users/index.svelte +++ b/packages/builder/src/pages/builder/portal/manage/users/index.svelte @@ -22,6 +22,7 @@ const schema = { email: {}, developmentAccess: { displayName: "Development Access", type: "boolean" }, + adminAccess: { displayName: "Admin Access", type: "boolean" }, // role: { type: "options" }, group: {}, // access: {}, @@ -36,6 +37,7 @@ ...user, group: ["All users"], developmentAccess: user.builder.global, + adminAccess: user.admin.global, })) let createUserModal diff --git a/packages/worker/src/api/routes/admin/email.js b/packages/worker/src/api/routes/admin/email.js index d3d0d4faae..a36dc5de91 100644 --- a/packages/worker/src/api/routes/admin/email.js +++ b/packages/worker/src/api/routes/admin/email.js @@ -2,6 +2,7 @@ const Router = require("@koa/router") const controller = require("../../controllers/admin/email") const { EmailTemplatePurpose } = require("../../../constants") const joiValidator = require("../../../middleware/joi-validator") +const adminOnly = require("../../../middleware/adminOnly") const Joi = require("joi") const router = Router() @@ -21,6 +22,7 @@ function buildEmailSendValidation() { router.post( "/api/admin/email/send", buildEmailSendValidation(), + adminOnly, controller.sendEmail ) diff --git a/packages/worker/src/api/routes/admin/users.js b/packages/worker/src/api/routes/admin/users.js index 1e7461fd26..6a6654f5e6 100644 --- a/packages/worker/src/api/routes/admin/users.js +++ b/packages/worker/src/api/routes/admin/users.js @@ -54,16 +54,9 @@ router buildUserSaveValidation(), controller.save ) - .get("/api/admin/users", controller.fetch) - .post("/api/admin/users/init", controller.adminUser) - .get("/api/admin/users/self", controller.getSelf) - .post( - "/api/admin/users/self", - buildUserSaveValidation(true), - controller.updateSelf - ) + .get("/api/admin/users", adminOnly, controller.fetch) .delete("/api/admin/users/:id", adminOnly, controller.destroy) - .get("/api/admin/users/:id", controller.find) + .get("/api/admin/users/:id", adminOnly, controller.find) .get("/api/admin/roles/:appId") .post( "/api/admin/users/invite", @@ -71,10 +64,18 @@ router buildInviteValidation(), controller.invite ) + // non-admin endpoints + .post( + "/api/admin/users/self", + buildUserSaveValidation(true), + controller.updateSelf + ) .post( "/api/admin/users/invite/accept", buildInviteAcceptValidation(), controller.inviteAccept ) + .post("/api/admin/users/init", controller.adminUser) + .get("/api/admin/users/self", controller.getSelf) module.exports = router diff --git a/packages/worker/src/middleware/adminOnly.js b/packages/worker/src/middleware/adminOnly.js index 507fbda9a2..8f56eb7943 100644 --- a/packages/worker/src/middleware/adminOnly.js +++ b/packages/worker/src/middleware/adminOnly.js @@ -1,5 +1,5 @@ module.exports = async (ctx, next) => { - if (!ctx.user || !ctx.user.admin || !ctx.user.admin.global) { + if (!ctx.internal && (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)) { ctx.throw(403, "Admin user only endpoint.") } return next()