From 1f17da4b95113ce069fc3cd3bdc4d4aaf01e5e1e Mon Sep 17 00:00:00 2001 From: Pranav C Date: Tue, 27 Dec 2022 13:09:56 +0530 Subject: [PATCH] fix(nocodb): attachment api middleware corrections Signed-off-by: Pranav C --- .../nocodb/src/lib/meta/api/attachmentApis.ts | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/packages/nocodb/src/lib/meta/api/attachmentApis.ts b/packages/nocodb/src/lib/meta/api/attachmentApis.ts index 535d227da0..53506414cf 100644 --- a/packages/nocodb/src/lib/meta/api/attachmentApis.ts +++ b/packages/nocodb/src/lib/meta/api/attachmentApis.ts @@ -15,11 +15,15 @@ import NcPluginMgrv2 from '../helpers/NcPluginMgrv2'; import { NC_ATTACHMENT_FIELD_SIZE } from '../../constants'; const isUploadAllowed = async (req: Request, _res: Response, next: any) => { + if (!req['user']?.id) { + NcError.unauthorized('Unauthorized'); + } + try { // check user is super admin or creator if ( - req['user']?.roles?.includes(OrgUserRoles.SUPER_ADMIN) || - req['user']?.roles?.includes(OrgUserRoles.CREATOR) || + req['user'].roles?.includes(OrgUserRoles.SUPER_ADMIN) || + req['user'].roles?.includes(OrgUserRoles.CREATOR) || // if viewer then check at-least one project have editor or higher role // todo: cache !!(await Noco.ncMeta @@ -29,7 +33,7 @@ const isUploadAllowed = async (req: Request, _res: Response, next: any) => { this.orWhere('roles', ProjectRoles.CREATOR); this.orWhere('roles', ProjectRoles.EDITOR); }) - .andWhere('fk_user_id', req['user']?.id) + .andWhere('fk_user_id', req['user'].id) .first()) ) return next(); @@ -182,12 +186,20 @@ router.post( fieldSize: NC_ATTACHMENT_FIELD_SIZE, }, }).any(), - [extractProjectIdAndAuthenticate, isUploadAllowed, catchError(upload)] + [ + extractProjectIdAndAuthenticate, + catchError(isUploadAllowed), + catchError(upload), + ] ); router.post( '/api/v1/db/storage/upload-by-url', - [extractProjectIdAndAuthenticate, isUploadAllowed, catchError(uploadViaURL)] + [ + extractProjectIdAndAuthenticate, + catchError(isUploadAllowed), + catchError(uploadViaURL), + ] ); router.get(/^\/download\/(.+)$/, catchError(fileRead));