summaryrefslogtreecommitdiffstats
path: root/server/api/roles.js
diff options
context:
space:
mode:
authorJannik Schönartz2019-02-26 08:23:12 +0100
committerJannik Schönartz2019-02-26 08:23:12 +0100
commite08e3feec4b329bd249f595ba807c9fbae3c282d (patch)
treee01d69b3304bea1c21674436a27901c040b9bf03 /server/api/roles.js
parent[authentication] Rewrite code in async/await, fix edit account module (diff)
downloadbas-e08e3feec4b329bd249f595ba807c9fbae3c282d.tar.gz
bas-e08e3feec4b329bd249f595ba807c9fbae3c282d.tar.xz
bas-e08e3feec4b329bd249f595ba807c9fbae3c282d.zip
[permissionmanager] Fix security bug: Code was executed weather the user had the permission or not
Diffstat (limited to 'server/api/roles.js')
-rw-r--r--server/api/roles.js15
1 files changed, 6 insertions, 9 deletions
diff --git a/server/api/roles.js b/server/api/roles.js
index 3b86f50..8d5cf4e 100644
--- a/server/api/roles.js
+++ b/server/api/roles.js
@@ -11,9 +11,8 @@ var router = decorateApp(express.Router())
* @return: Returns the information about a role and it's permissions and groups.
*/
router.getAsync('/:id', async (req, res) => {
- if (!await req.user.hasPermission('permissions.*')) {
- res.status(403).end()
- }
+ if (!await req.user.hasPermission('permissions.*')) return res.status(403).end()
+
var role = await db.role.findOne({ where: { id: req.params.id }, include: ['permissions', 'groups'] })
if (role) res.send(role)
else res.status(404).end()
@@ -23,9 +22,8 @@ router.getAsync('/:id', async (req, res) => {
* @return: Returns a list of all roles in the database.
*/
router.getAsync('', async (req, res) => {
- if (!await req.user.hasPermission('permissions.*')) {
- res.status(403).end()
- }
+ if (!await req.user.hasPermission('permissions.*')) return res.status(403).end()
+
var roles = await db.role.findAll({ attributes: ['id', 'name', 'descr'] })
res.status(200).send(roles)
})
@@ -42,9 +40,8 @@ router.getAsync('', async (req, res) => {
*
*/
router.postAsync(['', '/:id'], async (req, res) => {
- if (!await req.user.hasPermission('permissions.editrole')) {
- res.status(403).end()
- }
+ if (!await req.user.hasPermission('permissions.editrole')) return res.status(403).end()
+
// ?delete Delete the roles
if (req.query.delete !== undefined && req.query.delete !== 'false') {
await db.role.destroy({ where: { id: req.body.ids } })