Browse Source

fix: attachment middleware

Signed-off-by: Pranav C <pranavxc@gmail.com>
pull/5444/head
Pranav C 2 years ago
parent
commit
aa84df43cc
  1. 7
      packages/nocodb-nest/src/interceptors/is-upload-allowed/is-upload-allowed.interceptor.spec.ts
  2. 49
      packages/nocodb-nest/src/interceptors/is-upload-allowed/is-upload-allowed.interceptor.ts
  3. 12
      packages/nocodb-nest/src/modules/attachments/attachments.controller.ts

7
packages/nocodb-nest/src/interceptors/is-upload-allowed/is-upload-allowed.interceptor.spec.ts

@ -0,0 +1,7 @@
import { IsUploadAllowedInterceptor } from './is-upload-allowed.interceptor';
describe('IsUploadAllowedInterceptor', () => {
it('should be defined', () => {
expect(new IsUploadAllowedInterceptor()).toBeDefined();
});
});

49
packages/nocodb-nest/src/interceptors/is-upload-allowed/is-upload-allowed.interceptor.ts

@ -0,0 +1,49 @@
import {
Injectable,
NestInterceptor,
ExecutionContext,
CallHandler,
} from '@nestjs/common';
import { OrgUserRoles, ProjectRoles } from 'nocodb-sdk';
import { Observable, throwError } from 'rxjs';
import { NcError } from '../../helpers/catchError';
import Noco from '../../Noco';
import extractRolesObj from '../../utils/extractRolesObj';
import { MetaTable } from '../../utils/globals';
@Injectable()
export class UploadAllowedInterceptor implements NestInterceptor {
async intercept(
context: ExecutionContext,
next: CallHandler,
): Promise<Observable<any>> {
const request = context.switchToHttp().getRequest();
if (!request['user']?.id) {
if (!request['user']?.isPublicBase) {
NcError.unauthorized('Unauthorized');
}
}
try {
if (
extractRolesObj(request['user'].roles)[OrgUserRoles.SUPER_ADMIN] ||
extractRolesObj(request['user'].roles)[OrgUserRoles.CREATOR] ||
extractRolesObj(request['user'].roles)[ProjectRoles.EDITOR] ||
!!(await Noco.ncMeta
.knex(MetaTable.PROJECT_USERS)
.where(function () {
this.where('roles', ProjectRoles.OWNER);
this.orWhere('roles', ProjectRoles.CREATOR);
this.orWhere('roles', ProjectRoles.EDITOR);
})
.andWhere('fk_user_id', request['user'].id)
.first())
) {
return next.handle();
}
} catch {}
NcError.badRequest('Upload not allowed');
}
}

12
packages/nocodb-nest/src/modules/attachments/attachments.controller.ts

@ -10,12 +10,13 @@ import {
UploadedFiles,
UseInterceptors,
} from '@nestjs/common';
import multer from 'multer';
import { FileInterceptor, FilesInterceptor } from '@nestjs/platform-express'
import multer from 'multer';
import { FileInterceptor, FilesInterceptor } from '@nestjs/platform-express';
import { OrgUserRoles, ProjectRoles } from 'nocodb-sdk';
import path from 'path';
import { NC_ATTACHMENT_FIELD_SIZE } from '../../constants'
import { NC_ATTACHMENT_FIELD_SIZE } from '../../constants';
import { NcError } from '../../helpers/catchError';
import { UploadAllowedInterceptor } from '../../interceptors/is-upload-allowed/is-upload-allowed.interceptor';
import Noco from '../../Noco';
import { MetaTable } from '../../utils/globals';
import { AttachmentsService } from './attachments.service';
@ -70,7 +71,8 @@ export class AttachmentsController {
// );
)
@UseInterceptors(
FilesInterceptor('files[]', null,{
UploadAllowedInterceptor,
FilesInterceptor('files[]', null, {
storage: multer.diskStorage({}),
// limits: {
// fieldSize: NC_ATTACHMENT_FIELD_SIZE,
@ -95,7 +97,7 @@ export class AttachmentsController {
}
@Post('/api/v1/db/storage/upload-by-url')
@UseInterceptors(UploadAllowedInterceptor)
// [
// extractProjectIdAndAuthenticate,
// catchError(isUploadAllowedMw),

Loading…
Cancel
Save