From 3334abaf5eca7d2e41d1ed5670c2862e733adfb5 Mon Sep 17 00:00:00 2001 From: Marc Farra Date: Fri, 20 Jan 2023 16:22:31 +0200 Subject: [PATCH 1/2] create code guards when org or user are undefined --- src/middlewares/can/create-org-team.js | 4 +++ src/middlewares/can/view-org-members.js | 6 ++++- src/middlewares/can/view-org-teams.js | 36 ++++++++++++++++--------- 3 files changed, 33 insertions(+), 13 deletions(-) diff --git a/src/middlewares/can/create-org-team.js b/src/middlewares/can/create-org-team.js index 1a4d33d0..b00c6edb 100644 --- a/src/middlewares/can/create-org-team.js +++ b/src/middlewares/can/create-org-team.js @@ -16,6 +16,10 @@ export default async function canCreateOrgTeam(req, res, next) { const { orgId } = req.query const userId = req.session?.user_id + if (!userId || !orgId) { + throw Boom.badRequest('could not identify organization or user') + } + // Must be owner or manager if (!(await isOwner(orgId, userId)) && !(await isManager(orgId, userId))) { throw Boom.unauthorized() diff --git a/src/middlewares/can/view-org-members.js b/src/middlewares/can/view-org-members.js index 1872ce62..f96e86e1 100644 --- a/src/middlewares/can/view-org-members.js +++ b/src/middlewares/can/view-org-members.js @@ -12,10 +12,14 @@ export default async function canViewOrgMembers(req, res, next) { const { orgId } = req.query const userId = req.session?.user_id + if (!orgId) { + throw Boom.badRequest('organization id not provided') + } + if (await isPublic(orgId)) { // Can view if org is public return next() - } else if (await isMemberOrStaff(orgId, userId)) { + } else if (userId && (await isMemberOrStaff(orgId, userId))) { // Can view if is member or staff return next() } else { diff --git a/src/middlewares/can/view-org-teams.js b/src/middlewares/can/view-org-teams.js index 61a40873..7d5e374a 100644 --- a/src/middlewares/can/view-org-teams.js +++ b/src/middlewares/can/view-org-teams.js @@ -11,20 +11,32 @@ import Organization from '../../models/organization' */ export default async function canViewOrgTeams(req, res, next) { const { orgId } = req.query - const userId = req.session?.user_id - let [org, isMember, isManager, isOwner] = await Promise.all([ - Organization.get(orgId), - Organization.isMember(orgId, userId), - Organization.isManager(orgId, userId), - Organization.isOwner(orgId, userId), - ]) + if (!orgId) { + throw Boom.badRequest('organization id not provided') + } + + let org = await Organization.get(orgId) - if (org?.privacy === 'public' || isMember || isManager || isOwner) { - // Add org and permission flags to request - req.org = { ...org, isMember, isManager, isOwner } + if (org?.privacy === 'public') { + req.org = { ...org } return next() - } else { - throw Boom.unauthorized() } + + const userId = req.session?.user_id + + if (userId) { + let [isMember, isManager, isOwner] = await Promise.all([ + Organization.isMember(orgId, userId), + Organization.isManager(orgId, userId), + Organization.isOwner(orgId, userId), + ]) + if (isMember || isManager || isOwner) { + // Add org and permission flags to request + req.org = { ...org, isMember, isManager, isOwner } + return next() + } + } + + throw Boom.unauthorized() } From 17206df7333c4f432a05c978b95a0f473be96629 Mon Sep 17 00:00:00 2001 From: Marc Farra Date: Fri, 20 Jan 2023 16:54:11 +0200 Subject: [PATCH 2/2] fix for public + authenticated --- src/middlewares/can/view-org-teams.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/middlewares/can/view-org-teams.js b/src/middlewares/can/view-org-teams.js index 7d5e374a..70cd7f35 100644 --- a/src/middlewares/can/view-org-teams.js +++ b/src/middlewares/can/view-org-teams.js @@ -18,11 +18,6 @@ export default async function canViewOrgTeams(req, res, next) { let org = await Organization.get(orgId) - if (org?.privacy === 'public') { - req.org = { ...org } - return next() - } - const userId = req.session?.user_id if (userId) { @@ -31,11 +26,16 @@ export default async function canViewOrgTeams(req, res, next) { Organization.isManager(orgId, userId), Organization.isOwner(orgId, userId), ]) - if (isMember || isManager || isOwner) { + if (org?.privacy === 'public' || isMember || isManager || isOwner) { // Add org and permission flags to request req.org = { ...org, isMember, isManager, isOwner } return next() } + } else { + if (org?.privacy === 'public') { + req.org = { ...org } + return next() + } } throw Boom.unauthorized()