From 2f46176f34374bd7ddcf0853d995738d32fefee8 Mon Sep 17 00:00:00 2001 From: Jack Date: Tue, 24 Jan 2023 16:00:29 +0100 Subject: [PATCH] Allowing configuration endpoint access if user is configuration mod (#3936) * showing error when fetch failed * added function to only use an array of middlewares in production * allowing patch configuration and get schema if user is a configuration mod * fixed empty middleware not working as expected --- backend/src/api/routes/configuration.ts | 41 +++++++++++++++++-------- backend/src/middlewares/api-utils.ts | 16 ++++++++++ backend/src/types/types.d.ts | 1 + 3 files changed, 45 insertions(+), 13 deletions(-) diff --git a/backend/src/api/routes/configuration.ts b/backend/src/api/routes/configuration.ts index 50af94df1..b0a94c7b0 100644 --- a/backend/src/api/routes/configuration.ts +++ b/backend/src/api/routes/configuration.ts @@ -1,24 +1,39 @@ import joi from "joi"; import { Router } from "express"; -import { asyncHandler, validateRequest } from "../../middlewares/api-utils"; +import { + asyncHandler, + checkUserPermissions, + useInProduction, + validateRequest, +} from "../../middlewares/api-utils"; import * as ConfigurationController from "../controllers/configuration"; +import { authenticateRequest } from "../../middlewares/auth"; const router = Router(); +const checkIfUserIsConfigurationMod = checkUserPermissions({ + criteria: (user) => { + return !!user.configurationMod; + }, +}); + router.get("/", asyncHandler(ConfigurationController.getConfiguration)); -if (process.env.MODE === "dev") { - router.patch( - "/", - validateRequest({ - body: { - configuration: joi.object(), - }, - }), - asyncHandler(ConfigurationController.updateConfiguration) - ); +router.patch( + "/", + useInProduction([authenticateRequest(), checkIfUserIsConfigurationMod]), + validateRequest({ + body: { + configuration: joi.object(), + }, + }), + asyncHandler(ConfigurationController.updateConfiguration) +); - router.get("/schema", asyncHandler(ConfigurationController.getSchema)); -} +router.get( + "/schema", + useInProduction([authenticateRequest(), checkIfUserIsConfigurationMod]), + asyncHandler(ConfigurationController.getSchema) +); export default router; diff --git a/backend/src/middlewares/api-utils.ts b/backend/src/middlewares/api-utils.ts index 1d1e8de7d..ccda2670e 100644 --- a/backend/src/middlewares/api-utils.ts +++ b/backend/src/middlewares/api-utils.ts @@ -10,6 +10,12 @@ interface ValidationOptions { invalidMessage?: string; } +const emptyMiddleware = ( + _req: MonkeyTypes.Request, + _res: Response, + next: NextFunction +): void => next(); + /** * This utility checks that the server's configuration matches * the criteria. @@ -140,9 +146,19 @@ function validateRequest(validationSchema: ValidationSchema): RequestHandler { }; } +/** + * Uses the middlewares only in production. Otherwise, uses an empty middleware. + */ +function useInProduction(middlewares: RequestHandler[]): RequestHandler[] { + return middlewares.map((middleware) => + process.env.MODE === "dev" ? emptyMiddleware : middleware + ); +} + export { validateConfiguration, checkUserPermissions, asyncHandler, validateRequest, + useInProduction, }; diff --git a/backend/src/types/types.d.ts b/backend/src/types/types.d.ts index 2af9cd8c6..352fc14c4 100644 --- a/backend/src/types/types.d.ts +++ b/backend/src/types/types.d.ts @@ -171,6 +171,7 @@ declare namespace MonkeyTypes { timeTyping?: number; uid: string; quoteMod?: boolean; + configurationMod?: boolean; cannotReport?: boolean; banned?: boolean; canManageApeKeys?: boolean;