diff --git a/backend/__tests__/api/controllers/ape-key.spec.ts b/backend/__tests__/api/controllers/ape-key.spec.ts index 5f33d32fe..6061a4e99 100644 --- a/backend/__tests__/api/controllers/ape-key.spec.ts +++ b/backend/__tests__/api/controllers/ape-key.spec.ts @@ -11,7 +11,7 @@ const configuration = Configuration.getCachedConfiguration(); const uid = new ObjectId().toHexString(); describe("ApeKeyController", () => { - const getUserMock = vi.spyOn(UserDal, "getUser"); + const getUserMock = vi.spyOn(UserDal, "getPartialUser"); beforeEach(async () => { await enableApeKeysEndpoints(true); diff --git a/backend/src/api/routes/ape-keys.ts b/backend/src/api/routes/ape-keys.ts index 2038c887a..56cb0a465 100644 --- a/backend/src/api/routes/ape-keys.ts +++ b/backend/src/api/routes/ape-keys.ts @@ -13,7 +13,7 @@ const commonMiddleware = [ }, invalidMessage: "ApeKeys are currently disabled.", }), - checkUserPermissions({ + checkUserPermissions(["canManageApeKeys"], { criteria: (user) => { return user.canManageApeKeys ?? true; }, diff --git a/backend/src/api/routes/quotes.ts b/backend/src/api/routes/quotes.ts index 19a4f7604..79784b5af 100644 --- a/backend/src/api/routes/quotes.ts +++ b/backend/src/api/routes/quotes.ts @@ -10,7 +10,7 @@ import { validateRequest } from "../../middlewares/validation"; const router = Router(); -const checkIfUserIsQuoteMod = checkUserPermissions({ +const checkIfUserIsQuoteMod = checkUserPermissions(["quoteMod"], { criteria: (user) => { return ( user.quoteMod === true || @@ -171,7 +171,7 @@ router.post( captcha: withCustomMessages.regex(/[\w-_]+/).required(), }, }), - checkUserPermissions({ + checkUserPermissions(["canReport"], { criteria: (user) => { return user.canReport !== false; }, diff --git a/backend/src/api/routes/users.ts b/backend/src/api/routes/users.ts index 0b6d81ec2..1febadf8d 100644 --- a/backend/src/api/routes/users.ts +++ b/backend/src/api/routes/users.ts @@ -638,7 +638,7 @@ router.post( captcha: withCustomMessages.regex(/[\w-_]+/).required(), }, }), - checkUserPermissions({ + checkUserPermissions(["canReport"], { criteria: (user) => { return user.canReport !== false; }, diff --git a/backend/src/middlewares/permission.ts b/backend/src/middlewares/permission.ts index 7be634cee..cd10afad8 100644 --- a/backend/src/middlewares/permission.ts +++ b/backend/src/middlewares/permission.ts @@ -1,7 +1,7 @@ import _ from "lodash"; import MonkeyError from "../utils/error"; import type { Response, NextFunction, RequestHandler } from "express"; -import { getUser } from "../dal/user"; +import { getPartialUser } from "../dal/user"; import { isAdmin } from "../dal/admin-uids"; import type { ValidationOptions } from "./configuration"; @@ -34,8 +34,9 @@ export function checkIfUserIsAdmin(): RequestHandler { * Check user permissions before handling request. * Note that this middleware must be used after authentication in the middleware stack. */ -export function checkUserPermissions( - options: ValidationOptions +export function checkUserPermissions( + fields: K[], + options: ValidationOptions> ): RequestHandler { const { criteria, invalidMessage = "You don't have permission to do this." } = options; @@ -48,7 +49,11 @@ export function checkUserPermissions( try { const { uid } = req.ctx.decodedToken; - const userData = await getUser(uid, "check user permissions"); + const userData = await getPartialUser( + uid, + "check user permissions", + fields + ); const hasPermission = criteria(userData); if (!hasPermission) {