fix: attachment middleware

Signed-off-by: Pranav C <pranavxc@gmail.com>
1 year ago · aa84df43cc
3 changed files with 63 additions and 5 deletions
--- a/packages/nocodb-nest/src/interceptors/is-upload-allowed/is-upload-allowed.interceptor.spec.ts
+++ b/packages/nocodb-nest/src/interceptors/is-upload-allowed/is-upload-allowed.interceptor.spec.ts
@ -0,0 +1,7 @@
+import { IsUploadAllowedInterceptor } from './is-upload-allowed.interceptor';
+
+describe('IsUploadAllowedInterceptor', () => {
+  it('should be defined', () => {
+    expect(new IsUploadAllowedInterceptor()).toBeDefined();
+  });
+});
--- a/packages/nocodb-nest/src/interceptors/is-upload-allowed/is-upload-allowed.interceptor.ts
+++ b/packages/nocodb-nest/src/interceptors/is-upload-allowed/is-upload-allowed.interceptor.ts
@ -0,0 +1,49 @@
+import {
+  Injectable,
+  NestInterceptor,
+  ExecutionContext,
+  CallHandler,
+} from '@nestjs/common';
+import { OrgUserRoles, ProjectRoles } from 'nocodb-sdk';
+import { Observable, throwError } from 'rxjs';
+import { NcError } from '../../helpers/catchError';
+import Noco from '../../Noco';
+import extractRolesObj from '../../utils/extractRolesObj';
+import { MetaTable } from '../../utils/globals';
+
+@Injectable()
+export class UploadAllowedInterceptor implements NestInterceptor {
+  async intercept(
+    context: ExecutionContext,
+    next: CallHandler,
+  ): Promise<Observable<any>> {
+    const request = context.switchToHttp().getRequest();
+
+    if (!request['user']?.id) {
+      if (!request['user']?.isPublicBase) {
+        NcError.unauthorized('Unauthorized');
+      }
+    }
+
+    try {
+      if (
+        extractRolesObj(request['user'].roles)[OrgUserRoles.SUPER_ADMIN] ||
+        extractRolesObj(request['user'].roles)[OrgUserRoles.CREATOR] ||
+        extractRolesObj(request['user'].roles)[ProjectRoles.EDITOR] ||
+        !!(await Noco.ncMeta
+          .knex(MetaTable.PROJECT_USERS)
+          .where(function () {
+            this.where('roles', ProjectRoles.OWNER);
+            this.orWhere('roles', ProjectRoles.CREATOR);
+            this.orWhere('roles', ProjectRoles.EDITOR);
+          })
+          .andWhere('fk_user_id', request['user'].id)
+          .first())
+      ) {
+        return next.handle();
+      }
+    } catch {}
+
+    NcError.badRequest('Upload not allowed');
+  }
+}
--- a/packages/nocodb-nest/src/modules/attachments/attachments.controller.ts
+++ b/packages/nocodb-nest/src/modules/attachments/attachments.controller.ts
@ -10,12 +10,13 @@ import {
  UploadedFiles,
  UseInterceptors,
 } from '@nestjs/common';
-import  multer  from 'multer';
-import { FileInterceptor, FilesInterceptor } from '@nestjs/platform-express'
+import multer from 'multer';
+import { FileInterceptor, FilesInterceptor } from '@nestjs/platform-express';
 import { OrgUserRoles, ProjectRoles } from 'nocodb-sdk';
 import path from 'path';
-import { NC_ATTACHMENT_FIELD_SIZE } from '../../constants'
+import { NC_ATTACHMENT_FIELD_SIZE } from '../../constants';
 import { NcError } from '../../helpers/catchError';
+import { UploadAllowedInterceptor } from '../../interceptors/is-upload-allowed/is-upload-allowed.interceptor';
 import Noco from '../../Noco';
 import { MetaTable } from '../../utils/globals';
 import { AttachmentsService } from './attachments.service';
@ -70,7 +71,8 @@ export class AttachmentsController {
    // );
  )
  @UseInterceptors(
-    FilesInterceptor('files[]', null,{
+    UploadAllowedInterceptor,
+    FilesInterceptor('files[]', null, {
      storage: multer.diskStorage({}),
      // limits: {
      //   fieldSize: NC_ATTACHMENT_FIELD_SIZE,
@ -95,7 +97,7 @@ export class AttachmentsController {
  }

  @Post('/api/v1/db/storage/upload-by-url')
-
+  @UseInterceptors(UploadAllowedInterceptor)
  //   [
  //     extractProjectIdAndAuthenticate,
  //   catchError(isUploadAllowedMw),