Merge pull request 'protect shared items collection' (#6) from dev into main

Reviewed-on: #6
2023-02-17 22:23:16 +01:00 · 2023-02-17 22:23:16 +01:00 · 2d1e117b66
commit 2d1e117b66
parent df0cc26e71 27bd25b357
3 changed files with 14 additions and 7 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -21,3 +21,6 @@ steps:
    when:
      branch:
        - main
+      event:
+        exclude:
+          - pull_request
--- a/router/share.js
+++ b/router/share.js
@ -8,9 +8,13 @@ var passport = server.passport;

 router.route("/")
  .get(passport.authenticate("jwt", { session: false }), (req, res) => {
+    if (req.user.roles.includes("admin")) {
      database.share.collection(result => {
        res.json(result).status(200).end();
      })
+    } else {
+      res.status(403).end();
+    }
  });
 router.route("/:id")
  .get((req, res) => {
--- a/router/system.js
+++ b/router/system.js
@ -19,7 +19,7 @@ router
    })
  })
  .post(passport.authenticate("jwt", { session: false }), (req, res) => {
-    if (req.user.roles.indexOf("admin") > -1) {
+    if (req.user.roles.includes("admin")) {
      database.system.setAllows(req.body, () => {
        res.status(200).end();
      })
@ -31,7 +31,7 @@ router
 router
  .route("/domains")
  .get(passport.authenticate("jwt", { session: false }), (req, res) => {
-    if (req.user.roles.indexOf("admin") > -1) {
+    if (req.user.roles.includes("admin")) {
      let domains = {
        const: config.allowed_domains,
        dynamic: []
@ -47,7 +47,7 @@ router
    }
  })
  .post(passport.authenticate("jwt", { session: false }), (req, res) => {
-    if (req.user.roles.indexOf("admin") > -1) {
+    if (req.user.roles.includes("admin")) {
      database.system.setDomains(req.body, () => {
        res.status(200).end();
      });