From 6c43cf5f6209a0eafb48e74bef6e743ad5ccfe86 Mon Sep 17 00:00:00 2001
From: Artem Anufrij <artem.anufrij@live.de>
Date: Fri, 17 Feb 2023 22:20:09 +0100
Subject: [PATCH] protect shared items collection fix #4

---
 router/share.js  | 10 +++++++---
 router/system.js |  6 +++---
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/router/share.js b/router/share.js
index 65ce517..81b1db9 100644
--- a/router/share.js
+++ b/router/share.js
@@ -8,9 +8,13 @@ var passport = server.passport;
 
 router.route("/")
   .get(passport.authenticate("jwt", { session: false }), (req, res) => {
-    database.share.collection(result => {
-      res.json(result).status(200).end();
-    })
+    if (req.user.roles.includes("admin")) {
+      database.share.collection(result => {
+        res.json(result).status(200).end();
+      })
+    } else {
+      res.status(403).end();
+    }
   });
 router.route("/:id")
   .get((req, res) => {
diff --git a/router/system.js b/router/system.js
index 3b4b6de..47901f9 100644
--- a/router/system.js
+++ b/router/system.js
@@ -19,7 +19,7 @@ router
     })
   })
   .post(passport.authenticate("jwt", { session: false }), (req, res) => {
-    if (req.user.roles.indexOf("admin") > -1) {
+    if (req.user.roles.includes("admin")) {
       database.system.setAllows(req.body, () => {
         res.status(200).end();
       })
@@ -31,7 +31,7 @@ router
 router
   .route("/domains")
   .get(passport.authenticate("jwt", { session: false }), (req, res) => {
-    if (req.user.roles.indexOf("admin") > -1) {
+    if (req.user.roles.includes("admin")) {
       let domains = {
         const: config.allowed_domains,
         dynamic: []
@@ -47,7 +47,7 @@ router
     }
   })
   .post(passport.authenticate("jwt", { session: false }), (req, res) => {
-    if (req.user.roles.indexOf("admin") > -1) {
+    if (req.user.roles.includes("admin")) {
       database.system.setDomains(req.body, () => {
         res.status(200).end();
       });