From e08e3feec4b329bd249f595ba807c9fbae3c282d Mon Sep 17 00:00:00 2001 From: Jannik Schönartz Date: Tue, 26 Feb 2019 07:23:12 +0000 Subject: [permissionmanager] Fix security bug: Code was executed weather the user had the permission or not --- server/api/roles.js | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) (limited to 'server/api/roles.js') diff --git a/server/api/roles.js b/server/api/roles.js index 3b86f50..8d5cf4e 100644 --- a/server/api/roles.js +++ b/server/api/roles.js @@ -11,9 +11,8 @@ var router = decorateApp(express.Router()) * @return: Returns the information about a role and it's permissions and groups. */ router.getAsync('/:id', async (req, res) => { - if (!await req.user.hasPermission('permissions.*')) { - res.status(403).end() - } + if (!await req.user.hasPermission('permissions.*')) return res.status(403).end() + var role = await db.role.findOne({ where: { id: req.params.id }, include: ['permissions', 'groups'] }) if (role) res.send(role) else res.status(404).end() @@ -23,9 +22,8 @@ router.getAsync('/:id', async (req, res) => { * @return: Returns a list of all roles in the database. */ router.getAsync('', async (req, res) => { - if (!await req.user.hasPermission('permissions.*')) { - res.status(403).end() - } + if (!await req.user.hasPermission('permissions.*')) return res.status(403).end() + var roles = await db.role.findAll({ attributes: ['id', 'name', 'descr'] }) res.status(200).send(roles) }) @@ -42,9 +40,8 @@ router.getAsync('', async (req, res) => { * */ router.postAsync(['', '/:id'], async (req, res) => { - if (!await req.user.hasPermission('permissions.editrole')) { - res.status(403).end() - } + if (!await req.user.hasPermission('permissions.editrole')) return res.status(403).end() + // ?delete Delete the roles if (req.query.delete !== undefined && req.query.delete !== 'false') { await db.role.destroy({ where: { id: req.body.ids } }) -- cgit v1.2.3-55-g7522