yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: Disallow adding self to collection (#4299)

Browse Source 
* api

* ui

* update collection permissions
This commit is contained in:
Tom Moor
2022-10-15 22:11:09 -04:00
committed by GitHub
parent 97a50b20da
commit 1915a453db
6 changed files with 89 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
server/routes/api/__snapshots__/collections.test.ts.snap
View File

@@ -8,6 +8,14 @@ Object {
}
`;
exports[`#collections.add_user should not allow add self 1`] = `
Object {
"error": "authorization_error",
"message": "Authorization error",
"ok": false,
}
`;
exports[`#collections.add_user should require user in team 1`] = `
Object {
"error": "authorization_error",

18
server/routes/api/collections.test.ts
View File

@@ -422,6 +422,24 @@ describe("#collections.add_user", () => {
expect(users.length).toEqual(2);
});
it("should not allow add self", async () => {
const user = await buildUser();
const collection = await buildCollection({
teamId: user.teamId,
permission: null,
});
const res = await server.post("/api/collections.add_user", {
body: {
token: user.getJwtToken(),
id: collection.id,
userId: user.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
it("should require user in team", async () => {
const user = await buildUser();
const collection = await buildCollection({

6
server/routes/api/collections.ts
View File

@@ -9,7 +9,7 @@ import { RateLimiterStrategy } from "@server/RateLimiter";
import collectionExporter from "@server/commands/collectionExporter";
import teamUpdater from "@server/commands/teamUpdater";
import { sequelize } from "@server/database/sequelize";
import { ValidationError } from "@server/errors";
import { AuthorizationError, ValidationError } from "@server/errors";
import auth from "@server/middlewares/authentication";
import { rateLimiter } from "@server/middlewares/rateLimiter";
import {
@@ -370,6 +370,10 @@ router.post("collections.add_user", auth(), async (ctx) => {
},
});
if (userId === ctx.state.user.id) {
throw AuthorizationError("You cannot add yourself to a collection");
}
if (permission) {
assertCollectionPermission(permission);
}