diff --git a/packages/nocodb-nest/src/modules/attachments/attachments.controller.ts b/packages/nocodb-nest/src/modules/attachments/attachments.controller.ts index 273732c105..0ae3660362 100644 --- a/packages/nocodb-nest/src/modules/attachments/attachments.controller.ts +++ b/packages/nocodb-nest/src/modules/attachments/attachments.controller.ts @@ -7,9 +7,9 @@ import { Query, Request, Response, - UploadedFiles, + UploadedFiles, UseGuards, UseInterceptors, -} from '@nestjs/common'; +} from '@nestjs/common' import multer from 'multer'; import { FileInterceptor, FilesInterceptor } from '@nestjs/platform-express'; import { OrgUserRoles, ProjectRoles } from 'nocodb-sdk'; @@ -17,44 +17,17 @@ import path from 'path'; import { NC_ATTACHMENT_FIELD_SIZE } from '../../constants'; import { NcError } from '../../helpers/catchError'; import { UploadAllowedInterceptor } from '../../interceptors/is-upload-allowed/is-upload-allowed.interceptor'; +import { ExtractProjectIdMiddleware } from '../../middlewares/extract-project-id/extract-project-id.middleware' import Noco from '../../Noco'; import { MetaTable } from '../../utils/globals'; import { AttachmentsService } from './attachments.service'; - -const isUploadAllowedMw = async (req: Request, _res: Response, next: any) => { - if (!req['user']?.id) { - if (!req['user']?.isPublicBase) { - NcError.unauthorized('Unauthorized'); - } - } - - try { - // check user is super admin or creator - if ( - req['user'].roles?.includes(OrgUserRoles.SUPER_ADMIN) || - req['user'].roles?.includes(OrgUserRoles.CREATOR) || - req['user'].roles?.includes(ProjectRoles.EDITOR) || - // if viewer then check at-least one project have editor or higher role - // todo: cache - !!(await Noco.ncMeta - .knex(MetaTable.PROJECT_USERS) - .where(function () { - this.where('roles', ProjectRoles.OWNER); - this.orWhere('roles', ProjectRoles.CREATOR); - this.orWhere('roles', ProjectRoles.EDITOR); - }) - .andWhere('fk_user_id', req['user'].id) - .first()) - ) - return next(); - } catch {} - NcError.badRequest('Upload not allowed'); -}; +import { AuthGuard } from '@nestjs/passport'; @Controller() export class AttachmentsController { constructor(private readonly attachmentsService: AttachmentsService) {} + @UseGuards(ExtractProjectIdMiddleware, AuthGuard('jwt')) @Post( '/api/v1/db/storage/upload', // multer({ @@ -104,6 +77,7 @@ export class AttachmentsController { // catchError(uploadViaURL), // ] // ); + @UseGuards(ExtractProjectIdMiddleware, AuthGuard('jwt')) async uploadViaURL(@Body() body: any, @Query('path') path: string) { const attachments = await this.attachmentsService.uploadViaURL({ urls: body,