Browse Source

feat(nocodb): prevent non-owner edit log comment

pull/5341/head
Wing-Kam Wong 2 years ago
parent
commit
e3edb1b5e9
  1. 3
      packages/nocodb/src/lib/controllers/audit.ctl.ts
  2. 7
      packages/nocodb/src/lib/services/audit.svc.ts

3
packages/nocodb/src/lib/controllers/audit.ctl.ts

@ -30,10 +30,11 @@ export async function commentList(req: Request<any, any, any>, res) {
);
}
export async function commentUpdate(req: Request<any, any>, res) {
export async function commentUpdate(req, res) {
res.json(
await auditService.commentUpdate({
auditId: req.params.auditId,
userEmail: req?.session?.passport?.user.email,
body: req.body,
})
);

7
packages/nocodb/src/lib/services/audit.svc.ts

@ -3,6 +3,7 @@ import DOMPurify from 'isomorphic-dompurify';
import { validatePayload } from '../meta/api/helpers';
import Audit from '../models/Audit';
import Model from '../models/Model';
import { NcError } from '../meta/helpers/catchError';
import type { AuditRowUpdateReqType, CommentUpdateReqType } from 'nocodb-sdk';
export async function commentRow(param: {
@ -65,6 +66,7 @@ export async function commentsCount(param: {
export async function commentUpdate(param: {
auditId: string;
userEmail: string;
body: CommentUpdateReqType;
}) {
validatePayload(
@ -72,5 +74,10 @@ export async function commentUpdate(param: {
param.body
);
const log = await Audit.get(param.auditId);
if (log.user !== param.userEmail) {
NcError.unauthorized('Unauthorized access');
}
return await Audit.commentUpdate(param.auditId, param.body);
}

Loading…
Cancel
Save