From f846bb8929e2004799c3116c41b5cb71d59ee349 Mon Sep 17 00:00:00 2001 From: Florian Nari Date: Thu, 11 Jan 2024 12:08:16 +0100 Subject: [PATCH] fix: various --- server/routes.js | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/server/routes.js b/server/routes.js index 1ae07e1..2c6c224 100644 --- a/server/routes.js +++ b/server/routes.js @@ -52,6 +52,15 @@ function isUser(req, res, next) { res.redirect('/login'); } +function currentUserCanUpdateUidParam(req, res, next) { + const paramUid = req.params.uid; + if (paramUid && paramUid != req.session.passport.user.uid) { + return isManager(req, res, next); + } else { + return next(); + } +} + function isManager(req, res, next) { if (isAuthenticated(req, res)) { if (utils.is_manager(req.session.passport.user) || utils.is_admin(req.session.passport.user))return next(); @@ -155,7 +164,7 @@ function routing() { res.send(data); }); - router.get('/api/transport/:transport/test/:uid', isUser, function(req, res) { + router.get('/api/transport/:transport/test/:uid', isUser, currentUserCanUpdateUidParam, function(req, res) { request_otp_api(req, res, { relUrl: 'protected/users/' + req.params.uid + '/transports/'+ req.params.transport+'/test/', bearerAuth: true, }); @@ -187,14 +196,14 @@ function routing() { }); }); - router.put('/api/transport/:transport/:new_transport/:uid', isUser, function(req, res) { + router.put('/api/transport/:transport/:new_transport/:uid', isUser, currentUserCanUpdateUidParam, function(req, res) { request_otp_api(req, res, { method: 'PUT', relUrl: 'protected/users/'+ req.params.uid +'/transports/'+req.params.transport+'/'+req.params.new_transport+'/', bearerAuth: true, }); }); - router.delete('/api/transport/:transport/:uid', isUser, function(req, res) { + router.delete('/api/transport/:transport/:uid', isUser, currentUserCanUpdateUidParam, function(req, res) { request_otp_api(req, res, { method: 'DELETE', relUrl: 'protected/users/'+ req.params.uid +'/transports/'+req.params.transport+'/', bearerAuth: true,