Don't expose user permissions when extendedPermissions is disabled, cleanup controller.js

2025-10-27 11:02:16 +01:00 · 2018-12-19 13:35:54 +01:00 · 2018-12-19 13:35:54 +01:00 · 29257c2228
commit 29257c2228
parent d9804c0114
3 changed files with 37 additions and 38 deletions
--- a/lib/routes/admin-api/index.js
+++ b/lib/routes/admin-api/index.js
@ -25,7 +25,7 @@ class AdminApi extends Controller {
        );
        this.app.use('/events', new EventController(stores).router);
        this.app.use('/metrics', new MetricsController(perms, stores).router);
-        this.app.use('/user', new UserController().router);
+        this.app.use('/user', new UserController(perms).router);
    }
    index(req, res) {
--- a/lib/routes/admin-api/user.js
+++ b/lib/routes/admin-api/user.js
@ -3,17 +3,21 @@
 const Controller = require('../controller');
 class UserController extends Controller {
-    constructor() {
+    constructor(perms) {
-        super();
+        super(perms);
        this.get('/', this.getUser);
        this.get('/logout', this.logout);
    }
    getUser(req, res) {
        if (req.user) {
            const user = Object.assign({}, req.user);
            if (!this.extendedPermissions) {
                delete user.permissions;
            }
            return res
                .status(200)
-                .json(req.user)
+                .json(user)
                .end();
        } else {
            return res.status(404).end();
--- a/lib/routes/controller.js
+++ b/lib/routes/controller.js
@ -6,54 +6,49 @@ const { requirePermission } = require('./../permissions');
 * Base class for Controllers to standardize binding to express Router.
 */
 class Controller {
-    constructor(extendedPerms) {
+    constructor(extendedPermissions) {
        const router = Router();
        this.app = router;
-        this.extendedPerms = extendedPerms;
+        this.extendedPermissions = extendedPermissions;
    }
    checkPermission(permission) {
        if (this.extendedPermissions && permission) {
            return requirePermission(permission);
        }
        return (res, req, next) => next();
    }
    get(path, handler, permission) {
-        if (this.extendedPerms && permission) {
+        this.app.get(
-            this.app.get(
+            path,
-                path,
+            this.checkPermission(permission),
-                requirePermission(permission),
+            handler.bind(this)
-                handler.bind(this)
+        );
            );
        }
        this.app.get(path, handler.bind(this));
    }
    post(path, handler, permission) {
-        if (this.extendedPerms && permission) {
+        this.app.post(
-            this.app.post(
+            path,
-                path,
+            this.checkPermission(permission),
-                requirePermission(permission),
+            handler.bind(this)
-                handler.bind(this)
+        );
            );
        }
        this.app.post(path, handler.bind(this));
    }
    put(path, handler, permission) {
-        if (this.extendedPerms && permission) {
+        this.app.put(
-            this.app.put(
+            path,
-                path,
+            this.checkPermission(permission),
-                requirePermission(permission),
+            handler.bind(this)
-                handler.bind(this)
+        );
            );
        }
        this.app.put(path, handler.bind(this));
    }
    delete(path, handler, permission) {
-        if (this.extendedPerms && permission) {
+        this.app.delete(
-            this.app.delete(
+            path,
-                path,
+            this.checkPermission(permission),
-                requirePermission(permission),
+            handler.bind(this)
-                handler.bind(this)
+        );
            );
        }
        this.app.delete(path, handler.bind(this));
    }
    use(path, router) {