diff --git a/src/api/public/notes/notes.controller.ts b/src/api/public/notes/notes.controller.ts index e641f17aa..bfc398908 100644 --- a/src/api/public/notes/notes.controller.ts +++ b/src/api/public/notes/notes.controller.ts @@ -21,6 +21,7 @@ import { } from '@nestjs/common'; import { AlreadyInDBError, + ForbiddenIdError, NotInDBError, PermissionsUpdateInconsistentError, } from '../../../errors/errors'; @@ -86,6 +87,9 @@ export class NotesController { if (e instanceof NotInDBError) { throw new NotFoundException(e.message); } + if (e instanceof ForbiddenIdError) { + throw new BadRequestException(e.message); + } throw e; } if (!this.permissionsService.mayRead(req.user, note)) { @@ -114,6 +118,9 @@ export class NotesController { if (e instanceof AlreadyInDBError) { throw new BadRequestException(e.message); } + if (e instanceof ForbiddenIdError) { + throw new BadRequestException(e.message); + } throw e; } } @@ -137,6 +144,9 @@ export class NotesController { if (e instanceof NotInDBError) { throw new NotFoundException(e.message); } + if (e instanceof ForbiddenIdError) { + throw new BadRequestException(e.message); + } throw e; } } @@ -161,6 +171,9 @@ export class NotesController { if (e instanceof NotInDBError) { throw new NotFoundException(e.message); } + if (e instanceof ForbiddenIdError) { + throw new BadRequestException(e.message); + } throw e; } } @@ -182,6 +195,9 @@ export class NotesController { if (e instanceof NotInDBError) { throw new NotFoundException(e.message); } + if (e instanceof ForbiddenIdError) { + throw new BadRequestException(e.message); + } throw e; } } @@ -205,6 +221,9 @@ export class NotesController { if (e instanceof PermissionsUpdateInconsistentError) { throw new BadRequestException(e.message); } + if (e instanceof ForbiddenIdError) { + throw new BadRequestException(e.message); + } throw e; } } @@ -228,6 +247,9 @@ export class NotesController { if (e instanceof NotInDBError) { throw new NotFoundException(e.message); } + if (e instanceof ForbiddenIdError) { + throw new BadRequestException(e.message); + } throw e; } } @@ -253,6 +275,9 @@ export class NotesController { if (e instanceof NotInDBError) { throw new NotFoundException(e.message); } + if (e instanceof ForbiddenIdError) { + throw new BadRequestException(e.message); + } throw e; } } @@ -276,6 +301,9 @@ export class NotesController { if (e instanceof NotInDBError) { throw new NotFoundException(e.message); } + if (e instanceof ForbiddenIdError) { + throw new BadRequestException(e.message); + } throw e; } } diff --git a/src/notes/notes.service.ts b/src/notes/notes.service.ts index 0ecbbe57f..a1b1ecfdf 100644 --- a/src/notes/notes.service.ts +++ b/src/notes/notes.service.ts @@ -9,6 +9,7 @@ import { InjectRepository } from '@nestjs/typeorm'; import { Repository } from 'typeorm'; import { AlreadyInDBError, + ForbiddenIdError, NotInDBError, PermissionsUpdateInconsistentError, } from '../errors/errors'; @@ -91,6 +92,15 @@ export class NotesService { ]); if (alias) { newNote.alias = alias; + if (this.appConfig.forbiddenNoteIds.includes(alias)) { + this.logger.debug( + `Creating a note with the alias '${alias}' is forbidden by the administrator.`, + 'createNote', + ); + throw new ForbiddenIdError( + `Creating a note with the alias '${alias}' is forbidden by the administrator.`, + ); + } } if (owner) { newNote.historyEntries = [HistoryEntry.create(owner)]; @@ -151,6 +161,15 @@ export class NotesService { `Trying to find note '${noteIdOrAlias}'`, 'getNoteByIdOrAlias', ); + if (this.appConfig.forbiddenNoteIds.includes(noteIdOrAlias)) { + this.logger.debug( + `Accessing a note with the alias '${noteIdOrAlias}' is forbidden by the administrator.`, + 'getNoteByIdOrAlias', + ); + throw new ForbiddenIdError( + `Accessing a note with the alias '${noteIdOrAlias}' is forbidden by the administrator.`, + ); + } const note = await this.noteRepository.findOne({ where: [ {