fix(server): improve security of admin/drive/show-file
This commit is contained in:
parent
a7f464147d
commit
b161f38710
|
@ -1,5 +1,5 @@
|
||||||
import { Inject, Injectable } from '@nestjs/common';
|
import { Inject, Injectable } from '@nestjs/common';
|
||||||
import type { DriveFilesRepository } from '@/models/index.js';
|
import type { DriveFilesRepository, UsersRepository } from '@/models/index.js';
|
||||||
import { Endpoint } from '@/server/api/endpoint-base.js';
|
import { Endpoint } from '@/server/api/endpoint-base.js';
|
||||||
import { DI } from '@/di-symbols.js';
|
import { DI } from '@/di-symbols.js';
|
||||||
import { RoleService } from '@/core/RoleService.js';
|
import { RoleService } from '@/core/RoleService.js';
|
||||||
|
@ -161,6 +161,9 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
|
||||||
@Inject(DI.driveFilesRepository)
|
@Inject(DI.driveFilesRepository)
|
||||||
private driveFilesRepository: DriveFilesRepository,
|
private driveFilesRepository: DriveFilesRepository,
|
||||||
|
|
||||||
|
@Inject(DI.usersRepository)
|
||||||
|
private usersRepository: UsersRepository,
|
||||||
|
|
||||||
private roleService: RoleService,
|
private roleService: RoleService,
|
||||||
) {
|
) {
|
||||||
super(meta, paramDef, async (ps, me) => {
|
super(meta, paramDef, async (ps, me) => {
|
||||||
|
@ -178,7 +181,12 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
|
||||||
throw new ApiError(meta.errors.noSuchFile);
|
throw new ApiError(meta.errors.noSuchFile);
|
||||||
}
|
}
|
||||||
|
|
||||||
const isModerator = await this.roleService.isModerator(me);
|
const owner = file.userId ? await this.usersRepository.findOneByOrFail({
|
||||||
|
id: file.userId,
|
||||||
|
}) : null;
|
||||||
|
|
||||||
|
const iAmModerator = await this.roleService.isModerator(me);
|
||||||
|
const ownerIsModerator = owner ? await this.roleService.isModerator(owner) : false;
|
||||||
|
|
||||||
return {
|
return {
|
||||||
id: file.id,
|
id: file.id,
|
||||||
|
@ -207,8 +215,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
|
||||||
name: file.name,
|
name: file.name,
|
||||||
md5: file.md5,
|
md5: file.md5,
|
||||||
createdAt: file.createdAt.toISOString(),
|
createdAt: file.createdAt.toISOString(),
|
||||||
requestIp: isModerator ? file.requestIp : null,
|
requestIp: iAmModerator ? file.requestIp : null,
|
||||||
requestHeaders: isModerator ? file.requestHeaders : null,
|
requestHeaders: iAmModerator && !ownerIsModerator ? file.requestHeaders : null,
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue