From 620ea537a9e471748bb15322f19312926b8c2f79 Mon Sep 17 00:00:00 2001
From: Pranav C <pranavxc@gmail.com>
Date: Mon, 10 Apr 2023 23:58:14 +0530
Subject: [PATCH] fix: add missing auth guard

Signed-off-by: Pranav C <pranavxc@gmail.com>
---
 .../attachments/attachments.controller.ts     | 38 +++----------------
 1 file changed, 6 insertions(+), 32 deletions(-)

diff --git a/packages/nocodb-nest/src/modules/attachments/attachments.controller.ts b/packages/nocodb-nest/src/modules/attachments/attachments.controller.ts
index 273732c105..0ae3660362 100644
--- a/packages/nocodb-nest/src/modules/attachments/attachments.controller.ts
+++ b/packages/nocodb-nest/src/modules/attachments/attachments.controller.ts
@@ -7,9 +7,9 @@ import {
   Query,
   Request,
   Response,
-  UploadedFiles,
+  UploadedFiles, UseGuards,
   UseInterceptors,
-} from '@nestjs/common';
+} from '@nestjs/common'
 import multer from 'multer';
 import { FileInterceptor, FilesInterceptor } from '@nestjs/platform-express';
 import { OrgUserRoles, ProjectRoles } from 'nocodb-sdk';
@@ -17,44 +17,17 @@ import path from 'path';
 import { NC_ATTACHMENT_FIELD_SIZE } from '../../constants';
 import { NcError } from '../../helpers/catchError';
 import { UploadAllowedInterceptor } from '../../interceptors/is-upload-allowed/is-upload-allowed.interceptor';
+import { ExtractProjectIdMiddleware } from '../../middlewares/extract-project-id/extract-project-id.middleware'
 import Noco from '../../Noco';
 import { MetaTable } from '../../utils/globals';
 import { AttachmentsService } from './attachments.service';
-
-const isUploadAllowedMw = async (req: Request, _res: Response, next: any) => {
-  if (!req['user']?.id) {
-    if (!req['user']?.isPublicBase) {
-      NcError.unauthorized('Unauthorized');
-    }
-  }
-
-  try {
-    // check user is super admin or creator
-    if (
-      req['user'].roles?.includes(OrgUserRoles.SUPER_ADMIN) ||
-      req['user'].roles?.includes(OrgUserRoles.CREATOR) ||
-      req['user'].roles?.includes(ProjectRoles.EDITOR) ||
-      // if viewer then check at-least one project have editor or higher role
-      // todo: cache
-      !!(await Noco.ncMeta
-        .knex(MetaTable.PROJECT_USERS)
-        .where(function () {
-          this.where('roles', ProjectRoles.OWNER);
-          this.orWhere('roles', ProjectRoles.CREATOR);
-          this.orWhere('roles', ProjectRoles.EDITOR);
-        })
-        .andWhere('fk_user_id', req['user'].id)
-        .first())
-    )
-      return next();
-  } catch {}
-  NcError.badRequest('Upload not allowed');
-};
+import { AuthGuard } from '@nestjs/passport';
 
 @Controller()
 export class AttachmentsController {
   constructor(private readonly attachmentsService: AttachmentsService) {}
 
+  @UseGuards(ExtractProjectIdMiddleware, AuthGuard('jwt'))
   @Post(
     '/api/v1/db/storage/upload',
     //   multer({
@@ -104,6 +77,7 @@ export class AttachmentsController {
   //   catchError(uploadViaURL),
   // ]
   // );
+  @UseGuards(ExtractProjectIdMiddleware, AuthGuard('jwt'))
   async uploadViaURL(@Body() body: any, @Query('path') path: string) {
     const attachments = await this.attachmentsService.uploadViaURL({
       urls: body,