Skip to content

Commit

Permalink
chore: remove blocking of SP and RP admin updates (#2114)
Browse files Browse the repository at this point in the history
  • Loading branch information
mantariksh authored Jun 9, 2021
1 parent 04f5270 commit 88fd5a1
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 36 deletions.
34 changes: 0 additions & 34 deletions src/app/modules/auth/auth.middlewares.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ import { StatusCodes } from 'http-status-codes'
import { createLoggerWithLabel } from '../../config/logger'
import { createReqMeta } from '../../utils/request'
import { ControllerHandler } from '../core/core.types'
import * as UserService from '../user/user.service'

import { isUserInSession } from './auth.utils'

Expand All @@ -25,39 +24,6 @@ export const withUserAuthentication: ControllerHandler = (req, res, next) => {
.json({ message: 'User is unauthorized.' })
}

const DENIED_DOMAINS = ['myrp.edu.sg', 'ichat.sp.edu.sg']

/**
* If user is from a domain which should not have been whitelisted,
* do not allow any updates. Only allow GET requests, eg to access
* submissions.
* @returns 400 if user in session is from a disallowed domain and
* HTTP method changes database state; next otherwise
*/
export const denyRpSpStudentEmails: ControllerHandler = async (
req,
res,
next,
) => {
const userId = (req.session as Express.AuthedSession).user._id
return UserService.findUserById(userId)
.map((user) => {
const emailDomain = user.email.split('@').pop() ?? ''
if (
DENIED_DOMAINS.includes(emailDomain.toLowerCase()) &&
req.method.toLowerCase() !== 'get'
) {
return res.sendStatus(StatusCodes.BAD_REQUEST)
}
return next()
})
.mapErr(() =>
res
.status(StatusCodes.UNPROCESSABLE_ENTITY)
.json({ message: 'User not found' }),
)
}

/**
* Logs all admin actions which change database state (i.e. non-GET requests)
* @returns next
Expand Down
2 changes: 0 additions & 2 deletions src/app/routes/api/v3/admin/forms/admin-forms.routes.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
import { Router } from 'express'

import {
denyRpSpStudentEmails,
logAdminAction,
withUserAuthentication,
} from '../../../../../modules/auth/auth.middlewares'
Expand All @@ -18,7 +17,6 @@ export const AdminFormsRouter = Router()

// All routes in this handler should be protected by authentication.
AdminFormsRouter.use(withUserAuthentication)
AdminFormsRouter.use(denyRpSpStudentEmails)

// Log all non-get admin form actions
AdminFormsRouter.use('/:formId([a-fA-F0-9]{24})', logAdminAction)
Expand Down

0 comments on commit 88fd5a1

Please sign in to comment.