coop-cloud-chaos-patchs/outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add missing authorization on views endpoints

Browse Source 
Updated ApiKeys authorization to match elsewhere
This commit is contained in:
Tom Moor
2018-02-18 10:56:56 -08:00
parent e84fb5e6ba
commit 83f32be6f7
19 changed files with 129 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
server/api/apiKeys.js
View File

@ -6,7 +6,9 @@ import auth from './middlewares/authentication';
import pagination from './middlewares/pagination';
import { presentApiKey } from '../presenters';
import { ApiKey } from '../models';
import policy from '../policies';
const { authorize } = policy;
const router = new Router();
router.post('apiKeys.create', auth(), async ctx => {
@ -14,6 +16,7 @@ router.post('apiKeys.create', auth(), async ctx => {
ctx.assertPresent(name, 'name is required');
const user = ctx.state.user;
authorize(user, 'create', ApiKey);
const key = await ApiKey.create({
name,
@ -36,9 +39,7 @@ router.post('apiKeys.list', auth(), pagination(), async ctx => {
limit: ctx.state.pagination.limit,
});
const data = keys.map(key => {
return presentApiKey(ctx, key);
});
const data = keys.map(key => presentApiKey(ctx, key));
ctx.body = {
pagination: ctx.state.pagination,
@ -52,10 +53,8 @@ router.post('apiKeys.delete', auth(), async ctx => {
const user = ctx.state.user;
const key = await ApiKey.findById(id);
authorize(user, 'delete', ApiKey);
if (!key || key.userId !== user.id) throw httpErrors.BadRequest();
// Delete the actual document
try {
await key.destroy();
} catch (e) {