Allowing configuration endpoint access if user is configuration mod (#3936)

* showing error when fetch failed * added function to only use an array of middlewares in production * allowing patch configuration and get schema if user is a configuration mod * fixed empty middleware not working as expected
2025-12-28 02:48:43 +08:00 · 2023-01-24 16:00:29 +01:00 · 2023-01-24 16:00:29 +01:00 · 2f46176f34
commit 2f46176f34
parent b36c842921
3 changed files with 45 additions and 13 deletions
--- a/backend/src/api/routes/configuration.ts
+++ b/backend/src/api/routes/configuration.ts
@ -1,24 +1,39 @@
 import joi from "joi";
 import { Router } from "express";
-import { asyncHandler, validateRequest } from "../../middlewares/api-utils";
+import {
+  asyncHandler,
+  checkUserPermissions,
+  useInProduction,
+  validateRequest,
+} from "../../middlewares/api-utils";
 import * as ConfigurationController from "../controllers/configuration";
+import { authenticateRequest } from "../../middlewares/auth";

 const router = Router();

+const checkIfUserIsConfigurationMod = checkUserPermissions({
+  criteria: (user) => {
+    return !!user.configurationMod;
+  },
+});
+
 router.get("/", asyncHandler(ConfigurationController.getConfiguration));

-if (process.env.MODE === "dev") {
-  router.patch(
-    "/",
-    validateRequest({
-      body: {
-        configuration: joi.object(),
-      },
-    }),
-    asyncHandler(ConfigurationController.updateConfiguration)
-  );
+router.patch(
+  "/",
+  useInProduction([authenticateRequest(), checkIfUserIsConfigurationMod]),
+  validateRequest({
+    body: {
+      configuration: joi.object(),
+    },
+  }),
+  asyncHandler(ConfigurationController.updateConfiguration)
+);

-  router.get("/schema", asyncHandler(ConfigurationController.getSchema));
-}
+router.get(
+  "/schema",
+  useInProduction([authenticateRequest(), checkIfUserIsConfigurationMod]),
+  asyncHandler(ConfigurationController.getSchema)
+);

 export default router;
--- a/backend/src/middlewares/api-utils.ts
+++ b/backend/src/middlewares/api-utils.ts
@ -10,6 +10,12 @@ interface ValidationOptions<T> {
  invalidMessage?: string;
 }

+const emptyMiddleware = (
+  _req: MonkeyTypes.Request,
+  _res: Response,
+  next: NextFunction
+): void => next();
+
 /**
 * This utility checks that the server's configuration matches
 * the criteria.
@ -140,9 +146,19 @@ function validateRequest(validationSchema: ValidationSchema): RequestHandler {
  };
 }

+/**
+ * Uses the middlewares only in production. Otherwise, uses an empty middleware.
+ */
+function useInProduction(middlewares: RequestHandler[]): RequestHandler[] {
+  return middlewares.map((middleware) =>
+    process.env.MODE === "dev" ? emptyMiddleware : middleware
+  );
+}
+
 export {
  validateConfiguration,
  checkUserPermissions,
  asyncHandler,
  validateRequest,
+  useInProduction,
 };
--- a/backend/src/types/types.d.ts
+++ b/backend/src/types/types.d.ts
@ -171,6 +171,7 @@ declare namespace MonkeyTypes {
    timeTyping?: number;
    uid: string;
    quoteMod?: boolean;
+    configurationMod?: boolean;
    cannotReport?: boolean;
    banned?: boolean;
    canManageApeKeys?: boolean;