From 1aa821460f34861753665c1395e581cbe6de66e1 Mon Sep 17 00:00:00 2001 From: Philip Molares Date: Wed, 17 Feb 2021 13:15:26 +0100 Subject: [PATCH] NotesController: Catch NotInDBErrors from permission checks The permission check also tries to get the note and a non existing note needs to be handled there too. Signed-off-by: Philip Molares --- src/api/public/notes/notes.controller.ts | 64 ++++++++++++------------ 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/src/api/public/notes/notes.controller.ts b/src/api/public/notes/notes.controller.ts index 68a98c8dd..4bca6da81 100644 --- a/src/api/public/notes/notes.controller.ts +++ b/src/api/public/notes/notes.controller.ts @@ -111,21 +111,21 @@ export class NotesController { @Request() req, @Param('noteIdOrAlias') noteIdOrAlias: string, ): Promise { - const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); - if (!this.permissionsService.isOwner(req.user, note)) { - throw new UnauthorizedException('Deleting note denied!'); - } - this.logger.debug('Deleting note: ' + noteIdOrAlias, 'deleteNote'); try { + const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); + if (!this.permissionsService.isOwner(req.user, note)) { + throw new UnauthorizedException('Deleting note denied!'); + } + this.logger.debug('Deleting note: ' + noteIdOrAlias, 'deleteNote'); await this.noteService.deleteNoteByIdOrAlias(noteIdOrAlias); + this.logger.debug('Successfully deleted ' + noteIdOrAlias, 'deleteNote'); + return; } catch (e) { if (e instanceof NotInDBError) { throw new NotFoundException(e.message); } throw e; } - this.logger.debug('Successfully deleted ' + noteIdOrAlias, 'deleteNote'); - return; } @UseGuards(TokenAuthGuard) @@ -135,12 +135,12 @@ export class NotesController { @Param('noteIdOrAlias') noteIdOrAlias: string, @MarkdownBody() text: string, ): Promise { - const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); - if (!this.permissionsService.mayWrite(req.user, note)) { - throw new UnauthorizedException('Updating note denied!'); - } - this.logger.debug('Got raw markdown:\n' + text, 'updateNote'); try { + const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); + if (!this.permissionsService.mayWrite(req.user, note)) { + throw new UnauthorizedException('Updating note denied!'); + } + this.logger.debug('Got raw markdown:\n' + text, 'updateNote'); return this.noteService.toNoteDto( await this.noteService.updateNoteByIdOrAlias(noteIdOrAlias, text), ); @@ -159,11 +159,11 @@ export class NotesController { @Request() req, @Param('noteIdOrAlias') noteIdOrAlias: string, ): Promise { - const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); - if (!this.permissionsService.mayRead(req.user, note)) { - throw new UnauthorizedException('Reading note denied!'); - } try { + const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); + if (!this.permissionsService.mayRead(req.user, note)) { + throw new UnauthorizedException('Reading note denied!'); + } return await this.noteService.getNoteContent(noteIdOrAlias); } catch (e) { if (e instanceof NotInDBError) { @@ -179,11 +179,11 @@ export class NotesController { @Request() req, @Param('noteIdOrAlias') noteIdOrAlias: string, ): Promise { - const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); - if (!this.permissionsService.mayRead(req.user, note)) { - throw new UnauthorizedException('Reading note denied!'); - } try { + const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); + if (!this.permissionsService.mayRead(req.user, note)) { + throw new UnauthorizedException('Reading note denied!'); + } return this.noteService.toNoteMetadataDto( await this.noteService.getNoteByIdOrAlias(noteIdOrAlias), ); @@ -202,11 +202,11 @@ export class NotesController { @Param('noteIdOrAlias') noteIdOrAlias: string, @Body() updateDto: NotePermissionsUpdateDto, ): Promise { - const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); - if (!this.permissionsService.isOwner(req.user, note)) { - throw new UnauthorizedException('Updating note denied!'); - } try { + const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); + if (!this.permissionsService.isOwner(req.user, note)) { + throw new UnauthorizedException('Updating note denied!'); + } return this.noteService.toNotePermissionsDto( await this.noteService.updateNotePermissions(noteIdOrAlias, updateDto), ); @@ -224,11 +224,11 @@ export class NotesController { @Request() req, @Param('noteIdOrAlias') noteIdOrAlias: string, ): Promise { - const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); - if (!this.permissionsService.mayRead(req.user, note)) { - throw new UnauthorizedException('Reading note denied!'); - } try { + const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); + if (!this.permissionsService.mayRead(req.user, note)) { + throw new UnauthorizedException('Reading note denied!'); + } const revisions = await this.revisionsService.getAllRevisions( noteIdOrAlias, ); @@ -252,11 +252,11 @@ export class NotesController { @Param('noteIdOrAlias') noteIdOrAlias: string, @Param('revisionId') revisionId: number, ): Promise { - const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); - if (!this.permissionsService.mayRead(req.user, note)) { - throw new UnauthorizedException('Reading note denied!'); - } try { + const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); + if (!this.permissionsService.mayRead(req.user, note)) { + throw new UnauthorizedException('Reading note denied!'); + } return this.revisionsService.toRevisionDto( await this.revisionsService.getRevision(noteIdOrAlias, revisionId), );