Don't expose user permissions when extendedPermissions is disabled, cleanup controller.js

2025-10-27 11:02:16 +01:00 · 2018-12-19 13:35:54 +01:00 · 2018-12-19 13:35:54 +01:00 · b38da68d28
commit b38da68d28
parent abe4f8cf16
3 changed files with 37 additions and 38 deletions
--- a/lib/routes/admin-api/index.js
+++ b/lib/routes/admin-api/index.js
@ -25,7 +25,7 @@ class AdminApi extends Controller {
        );
        this.app.use('/events', new EventController(stores).router);
        this.app.use('/metrics', new MetricsController(perms, stores).router);
-        this.app.use('/user', new UserController().router);
+        this.app.use('/user', new UserController(perms).router);
    }

    index(req, res) {
--- a/lib/routes/admin-api/user.js
+++ b/lib/routes/admin-api/user.js
@ -3,17 +3,21 @@
 const Controller = require('../controller');

 class UserController extends Controller {
-    constructor() {
-        super();
+    constructor(perms) {
+        super(perms);
        this.get('/', this.getUser);
        this.get('/logout', this.logout);
    }

    getUser(req, res) {
        if (req.user) {
+            const user = Object.assign({}, req.user);
+            if (!this.extendedPermissions) {
+                delete user.permissions;
+            }
            return res
                .status(200)
-                .json(req.user)
+                .json(user)
                .end();
        } else {
            return res.status(404).end();
--- a/lib/routes/controller.js
+++ b/lib/routes/controller.js
@ -6,54 +6,49 @@ const { requirePermission } = require('./../permissions');
 * Base class for Controllers to standardize binding to express Router.
 */
 class Controller {
-    constructor(extendedPerms) {
+    constructor(extendedPermissions) {
        const router = Router();
        this.app = router;
-        this.extendedPerms = extendedPerms;
+        this.extendedPermissions = extendedPermissions;
+    }
+
+    checkPermission(permission) {
+        if (this.extendedPermissions && permission) {
+            return requirePermission(permission);
+        }
+        return (res, req, next) => next();
    }

    get(path, handler, permission) {
-        if (this.extendedPerms && permission) {
-            this.app.get(
-                path,
-                requirePermission(permission),
-                handler.bind(this)
-            );
-        }
-        this.app.get(path, handler.bind(this));
+        this.app.get(
+            path,
+            this.checkPermission(permission),
+            handler.bind(this)
+        );
    }

    post(path, handler, permission) {
-        if (this.extendedPerms && permission) {
-            this.app.post(
-                path,
-                requirePermission(permission),
-                handler.bind(this)
-            );
-        }
-        this.app.post(path, handler.bind(this));
+        this.app.post(
+            path,
+            this.checkPermission(permission),
+            handler.bind(this)
+        );
    }

    put(path, handler, permission) {
-        if (this.extendedPerms && permission) {
-            this.app.put(
-                path,
-                requirePermission(permission),
-                handler.bind(this)
-            );
-        }
-        this.app.put(path, handler.bind(this));
+        this.app.put(
+            path,
+            this.checkPermission(permission),
+            handler.bind(this)
+        );
    }

    delete(path, handler, permission) {
-        if (this.extendedPerms && permission) {
-            this.app.delete(
-                path,
-                requirePermission(permission),
-                handler.bind(this)
-            );
-        }
-        this.app.delete(path, handler.bind(this));
+        this.app.delete(
+            path,
+            this.checkPermission(permission),
+            handler.bind(this)
+        );
    }

    use(path, router) {