From 9b25f401f791a229d42d93d898ca4ee0719b2984 Mon Sep 17 00:00:00 2001
From: Philip Molares <philip.molares@udo.edu>
Date: Sat, 20 Feb 2021 22:21:31 +0100
Subject: [PATCH] NotesService: Check if note alias is forbidden

If the note alias is forbidden return a BadRequest.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
---
 src/api/public/notes/notes.controller.ts | 28 ++++++++++++++++++++++++
 src/notes/notes.service.ts               | 19 ++++++++++++++++
 2 files changed, 47 insertions(+)

diff --git a/src/api/public/notes/notes.controller.ts b/src/api/public/notes/notes.controller.ts
index e641f17aa..bfc398908 100644
--- a/src/api/public/notes/notes.controller.ts
+++ b/src/api/public/notes/notes.controller.ts
@@ -21,6 +21,7 @@ import {
 } from '@nestjs/common';
 import {
   AlreadyInDBError,
+  ForbiddenIdError,
   NotInDBError,
   PermissionsUpdateInconsistentError,
 } from '../../../errors/errors';
@@ -86,6 +87,9 @@ export class NotesController {
       if (e instanceof NotInDBError) {
         throw new NotFoundException(e.message);
       }
+      if (e instanceof ForbiddenIdError) {
+        throw new BadRequestException(e.message);
+      }
       throw e;
     }
     if (!this.permissionsService.mayRead(req.user, note)) {
@@ -114,6 +118,9 @@ export class NotesController {
       if (e instanceof AlreadyInDBError) {
         throw new BadRequestException(e.message);
       }
+      if (e instanceof ForbiddenIdError) {
+        throw new BadRequestException(e.message);
+      }
       throw e;
     }
   }
@@ -137,6 +144,9 @@ export class NotesController {
       if (e instanceof NotInDBError) {
         throw new NotFoundException(e.message);
       }
+      if (e instanceof ForbiddenIdError) {
+        throw new BadRequestException(e.message);
+      }
       throw e;
     }
   }
@@ -161,6 +171,9 @@ export class NotesController {
       if (e instanceof NotInDBError) {
         throw new NotFoundException(e.message);
       }
+      if (e instanceof ForbiddenIdError) {
+        throw new BadRequestException(e.message);
+      }
       throw e;
     }
   }
@@ -182,6 +195,9 @@ export class NotesController {
       if (e instanceof NotInDBError) {
         throw new NotFoundException(e.message);
       }
+      if (e instanceof ForbiddenIdError) {
+        throw new BadRequestException(e.message);
+      }
       throw e;
     }
   }
@@ -205,6 +221,9 @@ export class NotesController {
       if (e instanceof PermissionsUpdateInconsistentError) {
         throw new BadRequestException(e.message);
       }
+      if (e instanceof ForbiddenIdError) {
+        throw new BadRequestException(e.message);
+      }
       throw e;
     }
   }
@@ -228,6 +247,9 @@ export class NotesController {
       if (e instanceof NotInDBError) {
         throw new NotFoundException(e.message);
       }
+      if (e instanceof ForbiddenIdError) {
+        throw new BadRequestException(e.message);
+      }
       throw e;
     }
   }
@@ -253,6 +275,9 @@ export class NotesController {
       if (e instanceof NotInDBError) {
         throw new NotFoundException(e.message);
       }
+      if (e instanceof ForbiddenIdError) {
+        throw new BadRequestException(e.message);
+      }
       throw e;
     }
   }
@@ -276,6 +301,9 @@ export class NotesController {
       if (e instanceof NotInDBError) {
         throw new NotFoundException(e.message);
       }
+      if (e instanceof ForbiddenIdError) {
+        throw new BadRequestException(e.message);
+      }
       throw e;
     }
   }
diff --git a/src/notes/notes.service.ts b/src/notes/notes.service.ts
index 0ecbbe57f..a1b1ecfdf 100644
--- a/src/notes/notes.service.ts
+++ b/src/notes/notes.service.ts
@@ -9,6 +9,7 @@ import { InjectRepository } from '@nestjs/typeorm';
 import { Repository } from 'typeorm';
 import {
   AlreadyInDBError,
+  ForbiddenIdError,
   NotInDBError,
   PermissionsUpdateInconsistentError,
 } from '../errors/errors';
@@ -91,6 +92,15 @@ export class NotesService {
     ]);
     if (alias) {
       newNote.alias = alias;
+      if (this.appConfig.forbiddenNoteIds.includes(alias)) {
+        this.logger.debug(
+          `Creating a note with the alias '${alias}' is forbidden by the administrator.`,
+          'createNote',
+        );
+        throw new ForbiddenIdError(
+          `Creating a note with the alias '${alias}' is forbidden by the administrator.`,
+        );
+      }
     }
     if (owner) {
       newNote.historyEntries = [HistoryEntry.create(owner)];
@@ -151,6 +161,15 @@ export class NotesService {
       `Trying to find note '${noteIdOrAlias}'`,
       'getNoteByIdOrAlias',
     );
+    if (this.appConfig.forbiddenNoteIds.includes(noteIdOrAlias)) {
+      this.logger.debug(
+        `Accessing a note with the alias '${noteIdOrAlias}' is forbidden by the administrator.`,
+        'getNoteByIdOrAlias',
+      );
+      throw new ForbiddenIdError(
+        `Accessing a note with the alias '${noteIdOrAlias}' is forbidden by the administrator.`,
+      );
+    }
     const note = await this.noteRepository.findOne({
       where: [
         {