From b38da68d286c436587ab82689b8d1c80fbb7c1de Mon Sep 17 00:00:00 2001 From: Benjamin Ludewig Date: Wed, 19 Dec 2018 13:35:54 +0100 Subject: [PATCH] Don't expose user permissions when extendedPermissions is disabled, cleanup controller.js --- lib/routes/admin-api/index.js | 2 +- lib/routes/admin-api/user.js | 10 ++++-- lib/routes/controller.js | 63 ++++++++++++++++------------------- 3 files changed, 37 insertions(+), 38 deletions(-) diff --git a/lib/routes/admin-api/index.js b/lib/routes/admin-api/index.js index da7e497130..38d171cc98 100644 --- a/lib/routes/admin-api/index.js +++ b/lib/routes/admin-api/index.js @@ -25,7 +25,7 @@ class AdminApi extends Controller { ); this.app.use('/events', new EventController(stores).router); this.app.use('/metrics', new MetricsController(perms, stores).router); - this.app.use('/user', new UserController().router); + this.app.use('/user', new UserController(perms).router); } index(req, res) { diff --git a/lib/routes/admin-api/user.js b/lib/routes/admin-api/user.js index 306a8ef4bd..19b87a5c34 100644 --- a/lib/routes/admin-api/user.js +++ b/lib/routes/admin-api/user.js @@ -3,17 +3,21 @@ const Controller = require('../controller'); class UserController extends Controller { - constructor() { - super(); + constructor(perms) { + super(perms); this.get('/', this.getUser); this.get('/logout', this.logout); } getUser(req, res) { if (req.user) { + const user = Object.assign({}, req.user); + if (!this.extendedPermissions) { + delete user.permissions; + } return res .status(200) - .json(req.user) + .json(user) .end(); } else { return res.status(404).end(); diff --git a/lib/routes/controller.js b/lib/routes/controller.js index 64a9535740..015995f829 100644 --- a/lib/routes/controller.js +++ b/lib/routes/controller.js @@ -6,54 +6,49 @@ const { requirePermission } = require('./../permissions'); * Base class for Controllers to standardize binding to express Router. */ class Controller { - constructor(extendedPerms) { + constructor(extendedPermissions) { const router = Router(); this.app = router; - this.extendedPerms = extendedPerms; + this.extendedPermissions = extendedPermissions; + } + + checkPermission(permission) { + if (this.extendedPermissions && permission) { + return requirePermission(permission); + } + return (res, req, next) => next(); } get(path, handler, permission) { - if (this.extendedPerms && permission) { - this.app.get( - path, - requirePermission(permission), - handler.bind(this) - ); - } - this.app.get(path, handler.bind(this)); + this.app.get( + path, + this.checkPermission(permission), + handler.bind(this) + ); } post(path, handler, permission) { - if (this.extendedPerms && permission) { - this.app.post( - path, - requirePermission(permission), - handler.bind(this) - ); - } - this.app.post(path, handler.bind(this)); + this.app.post( + path, + this.checkPermission(permission), + handler.bind(this) + ); } put(path, handler, permission) { - if (this.extendedPerms && permission) { - this.app.put( - path, - requirePermission(permission), - handler.bind(this) - ); - } - this.app.put(path, handler.bind(this)); + this.app.put( + path, + this.checkPermission(permission), + handler.bind(this) + ); } delete(path, handler, permission) { - if (this.extendedPerms && permission) { - this.app.delete( - path, - requirePermission(permission), - handler.bind(this) - ); - } - this.app.delete(path, handler.bind(this)); + this.app.delete( + path, + this.checkPermission(permission), + handler.bind(this) + ); } use(path, router) {