Browse Source

fix: add missing auth guard

Signed-off-by: Pranav C <pranavxc@gmail.com>
pull/5444/head
Pranav C 2 years ago
parent
commit
620ea537a9
  1. 38
      packages/nocodb-nest/src/modules/attachments/attachments.controller.ts

38
packages/nocodb-nest/src/modules/attachments/attachments.controller.ts

@ -7,9 +7,9 @@ import {
Query, Query,
Request, Request,
Response, Response,
UploadedFiles, UploadedFiles, UseGuards,
UseInterceptors, UseInterceptors,
} from '@nestjs/common'; } from '@nestjs/common'
import multer from 'multer'; import multer from 'multer';
import { FileInterceptor, FilesInterceptor } from '@nestjs/platform-express'; import { FileInterceptor, FilesInterceptor } from '@nestjs/platform-express';
import { OrgUserRoles, ProjectRoles } from 'nocodb-sdk'; import { OrgUserRoles, ProjectRoles } from 'nocodb-sdk';
@ -17,44 +17,17 @@ import path from 'path';
import { NC_ATTACHMENT_FIELD_SIZE } from '../../constants'; import { NC_ATTACHMENT_FIELD_SIZE } from '../../constants';
import { NcError } from '../../helpers/catchError'; import { NcError } from '../../helpers/catchError';
import { UploadAllowedInterceptor } from '../../interceptors/is-upload-allowed/is-upload-allowed.interceptor'; import { UploadAllowedInterceptor } from '../../interceptors/is-upload-allowed/is-upload-allowed.interceptor';
import { ExtractProjectIdMiddleware } from '../../middlewares/extract-project-id/extract-project-id.middleware'
import Noco from '../../Noco'; import Noco from '../../Noco';
import { MetaTable } from '../../utils/globals'; import { MetaTable } from '../../utils/globals';
import { AttachmentsService } from './attachments.service'; import { AttachmentsService } from './attachments.service';
import { AuthGuard } from '@nestjs/passport';
const isUploadAllowedMw = async (req: Request, _res: Response, next: any) => {
if (!req['user']?.id) {
if (!req['user']?.isPublicBase) {
NcError.unauthorized('Unauthorized');
}
}
try {
// check user is super admin or creator
if (
req['user'].roles?.includes(OrgUserRoles.SUPER_ADMIN) ||
req['user'].roles?.includes(OrgUserRoles.CREATOR) ||
req['user'].roles?.includes(ProjectRoles.EDITOR) ||
// if viewer then check at-least one project have editor or higher role
// todo: cache
!!(await Noco.ncMeta
.knex(MetaTable.PROJECT_USERS)
.where(function () {
this.where('roles', ProjectRoles.OWNER);
this.orWhere('roles', ProjectRoles.CREATOR);
this.orWhere('roles', ProjectRoles.EDITOR);
})
.andWhere('fk_user_id', req['user'].id)
.first())
)
return next();
} catch {}
NcError.badRequest('Upload not allowed');
};
@Controller() @Controller()
export class AttachmentsController { export class AttachmentsController {
constructor(private readonly attachmentsService: AttachmentsService) {} constructor(private readonly attachmentsService: AttachmentsService) {}
@UseGuards(ExtractProjectIdMiddleware, AuthGuard('jwt'))
@Post( @Post(
'/api/v1/db/storage/upload', '/api/v1/db/storage/upload',
// multer({ // multer({
@ -104,6 +77,7 @@ export class AttachmentsController {
// catchError(uploadViaURL), // catchError(uploadViaURL),
// ] // ]
// ); // );
@UseGuards(ExtractProjectIdMiddleware, AuthGuard('jwt'))
async uploadViaURL(@Body() body: any, @Query('path') path: string) { async uploadViaURL(@Body() body: any, @Query('path') path: string) {
const attachments = await this.attachmentsService.uploadViaURL({ const attachments = await this.attachmentsService.uploadViaURL({
urls: body, urls: body,

Loading…
Cancel
Save