github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-27 03:58:02 -05:00
Code Issues Projects Releases Packages Wiki Activity

NotesService: Check if note alias is forbidden

Browse source 
If the note alias is forbidden return a BadRequest.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
This commit is contained in:
Philip Molares 2021-02-20 22:21:31 +01:00
parent cbc88fd315
commit 9b25f401f7
2 changed files with 47 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
src/api/public/notes/notes.controller.ts
View file

@ -21,6 +21,7 @@ import {
} from '@nestjs/common'; } from '@nestjs/common';
import { import {
AlreadyInDBError, AlreadyInDBError,
ForbiddenIdError,
NotInDBError, NotInDBError,
PermissionsUpdateInconsistentError, PermissionsUpdateInconsistentError,
} from '../../../errors/errors'; } from '../../../errors/errors';
@ -86,6 +87,9 @@ export class NotesController {
if (e instanceof NotInDBError) { if (e instanceof NotInDBError) {
throw new NotFoundException(e.message); throw new NotFoundException(e.message);
} }
if (e instanceof ForbiddenIdError) {
throw new BadRequestException(e.message);
}
throw e; throw e;
} }
if (!this.permissionsService.mayRead(req.user, note)) { if (!this.permissionsService.mayRead(req.user, note)) {
@ -114,6 +118,9 @@ export class NotesController {
if (e instanceof AlreadyInDBError) { if (e instanceof AlreadyInDBError) {
throw new BadRequestException(e.message); throw new BadRequestException(e.message);
} }
if (e instanceof ForbiddenIdError) {
throw new BadRequestException(e.message);
}
throw e; throw e;
} }
} }
@ -137,6 +144,9 @@ export class NotesController {
if (e instanceof NotInDBError) { if (e instanceof NotInDBError) {
throw new NotFoundException(e.message); throw new NotFoundException(e.message);
} }
if (e instanceof ForbiddenIdError) {
throw new BadRequestException(e.message);
}
throw e; throw e;
} }
} }
@ -161,6 +171,9 @@ export class NotesController {
if (e instanceof NotInDBError) { if (e instanceof NotInDBError) {
throw new NotFoundException(e.message); throw new NotFoundException(e.message);
} }
if (e instanceof ForbiddenIdError) {
throw new BadRequestException(e.message);
}
throw e; throw e;
} }
} }
@ -182,6 +195,9 @@ export class NotesController {
if (e instanceof NotInDBError) { if (e instanceof NotInDBError) {
throw new NotFoundException(e.message); throw new NotFoundException(e.message);
} }
if (e instanceof ForbiddenIdError) {
throw new BadRequestException(e.message);
}
throw e; throw e;
} }
} }
@ -205,6 +221,9 @@ export class NotesController {
if (e instanceof PermissionsUpdateInconsistentError) { if (e instanceof PermissionsUpdateInconsistentError) {
throw new BadRequestException(e.message); throw new BadRequestException(e.message);
} }
if (e instanceof ForbiddenIdError) {
throw new BadRequestException(e.message);
}
throw e; throw e;
} }
} }
@ -228,6 +247,9 @@ export class NotesController {
if (e instanceof NotInDBError) { if (e instanceof NotInDBError) {
throw new NotFoundException(e.message); throw new NotFoundException(e.message);
} }
if (e instanceof ForbiddenIdError) {
throw new BadRequestException(e.message);
}
throw e; throw e;
} }
} }
@ -253,6 +275,9 @@ export class NotesController {
if (e instanceof NotInDBError) { if (e instanceof NotInDBError) {
throw new NotFoundException(e.message); throw new NotFoundException(e.message);
} }
if (e instanceof ForbiddenIdError) {
throw new BadRequestException(e.message);
}
throw e; throw e;
} }
} }
@ -276,6 +301,9 @@ export class NotesController {
if (e instanceof NotInDBError) { if (e instanceof NotInDBError) {
throw new NotFoundException(e.message); throw new NotFoundException(e.message);
} }
if (e instanceof ForbiddenIdError) {
throw new BadRequestException(e.message);
}
throw e; throw e;
} }
} }

19
src/notes/notes.service.ts
View file

@ -9,6 +9,7 @@ import { InjectRepository } from '@nestjs/typeorm';
import { Repository } from 'typeorm'; import { Repository } from 'typeorm';
import { import {
AlreadyInDBError, AlreadyInDBError,
ForbiddenIdError,
NotInDBError, NotInDBError,
PermissionsUpdateInconsistentError, PermissionsUpdateInconsistentError,
} from '../errors/errors'; } from '../errors/errors';
@ -91,6 +92,15 @@ export class NotesService {
]); ]);
if (alias) { if (alias) {
newNote.alias = alias; newNote.alias = alias;
if (this.appConfig.forbiddenNoteIds.includes(alias)) {
this.logger.debug(
`Creating a note with the alias '${alias}' is forbidden by the administrator.`,
'createNote',
);
throw new ForbiddenIdError(
`Creating a note with the alias '${alias}' is forbidden by the administrator.`,
);
}
} }
if (owner) { if (owner) {
newNote.historyEntries = [HistoryEntry.create(owner)]; newNote.historyEntries = [HistoryEntry.create(owner)];
@ -151,6 +161,15 @@ export class NotesService {
`Trying to find note '${noteIdOrAlias}'`, `Trying to find note '${noteIdOrAlias}'`,
'getNoteByIdOrAlias', 'getNoteByIdOrAlias',
); );
if (this.appConfig.forbiddenNoteIds.includes(noteIdOrAlias)) {
this.logger.debug(
`Accessing a note with the alias '${noteIdOrAlias}' is forbidden by the administrator.`,
'getNoteByIdOrAlias',
);
throw new ForbiddenIdError(
`Accessing a note with the alias '${noteIdOrAlias}' is forbidden by the administrator.`,
);
}
const note = await this.noteRepository.findOne({ const note = await this.noteRepository.findOne({
where: [ where: [
{ {