mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2025-01-23 06:53:21 +00:00
MeController: Double-check that req.user is defined
TokenAuthGuard ensures that req.user is always defined, but thanks to strict mode we have to check again. In the future, we may add a custom Request type and a custom param decorator to centralize the check. Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
parent
e18ee1f0fe
commit
ace1b7fad6
1 changed files with 29 additions and 0 deletions
|
@ -15,6 +15,7 @@ import {
|
||||||
Put,
|
Put,
|
||||||
UseGuards,
|
UseGuards,
|
||||||
Req,
|
Req,
|
||||||
|
InternalServerErrorException,
|
||||||
} from '@nestjs/common';
|
} from '@nestjs/common';
|
||||||
import { HistoryEntryUpdateDto } from '../../../history/history-entry-update.dto';
|
import { HistoryEntryUpdateDto } from '../../../history/history-entry-update.dto';
|
||||||
import { HistoryService } from '../../../history/history.service';
|
import { HistoryService } from '../../../history/history.service';
|
||||||
|
@ -65,6 +66,10 @@ export class MeController {
|
||||||
})
|
})
|
||||||
@ApiUnauthorizedResponse({ description: unauthorizedDescription })
|
@ApiUnauthorizedResponse({ description: unauthorizedDescription })
|
||||||
async getMe(@Req() req: Request): Promise<UserInfoDto> {
|
async getMe(@Req() req: Request): Promise<UserInfoDto> {
|
||||||
|
if (!req.user) {
|
||||||
|
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||||
|
throw new InternalServerErrorException('Request did not specify user');
|
||||||
|
}
|
||||||
return this.usersService.toUserDto(
|
return this.usersService.toUserDto(
|
||||||
await this.usersService.getUserByUsername(req.user.userName),
|
await this.usersService.getUserByUsername(req.user.userName),
|
||||||
);
|
);
|
||||||
|
@ -79,6 +84,10 @@ export class MeController {
|
||||||
})
|
})
|
||||||
@ApiUnauthorizedResponse({ description: unauthorizedDescription })
|
@ApiUnauthorizedResponse({ description: unauthorizedDescription })
|
||||||
async getUserHistory(@Req() req: Request): Promise<HistoryEntryDto[]> {
|
async getUserHistory(@Req() req: Request): Promise<HistoryEntryDto[]> {
|
||||||
|
if (!req.user) {
|
||||||
|
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||||
|
throw new InternalServerErrorException('Request did not specify user');
|
||||||
|
}
|
||||||
const foundEntries = await this.historyService.getEntriesByUser(req.user);
|
const foundEntries = await this.historyService.getEntriesByUser(req.user);
|
||||||
return await Promise.all(
|
return await Promise.all(
|
||||||
foundEntries.map((entry) => this.historyService.toHistoryEntryDto(entry)),
|
foundEntries.map((entry) => this.historyService.toHistoryEntryDto(entry)),
|
||||||
|
@ -97,6 +106,10 @@ export class MeController {
|
||||||
@Req() req: Request,
|
@Req() req: Request,
|
||||||
@Param('note') note: string,
|
@Param('note') note: string,
|
||||||
): Promise<HistoryEntryDto> {
|
): Promise<HistoryEntryDto> {
|
||||||
|
if (!req.user) {
|
||||||
|
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||||
|
throw new InternalServerErrorException('Request did not specify user');
|
||||||
|
}
|
||||||
try {
|
try {
|
||||||
const foundEntry = await this.historyService.getEntryByNoteIdOrAlias(
|
const foundEntry = await this.historyService.getEntryByNoteIdOrAlias(
|
||||||
note,
|
note,
|
||||||
|
@ -124,6 +137,10 @@ export class MeController {
|
||||||
@Param('note') note: string,
|
@Param('note') note: string,
|
||||||
@Body() entryUpdateDto: HistoryEntryUpdateDto,
|
@Body() entryUpdateDto: HistoryEntryUpdateDto,
|
||||||
): Promise<HistoryEntryDto> {
|
): Promise<HistoryEntryDto> {
|
||||||
|
if (!req.user) {
|
||||||
|
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||||
|
throw new InternalServerErrorException('Request did not specify user');
|
||||||
|
}
|
||||||
// ToDo: Check if user is allowed to pin this history entry
|
// ToDo: Check if user is allowed to pin this history entry
|
||||||
try {
|
try {
|
||||||
return this.historyService.toHistoryEntryDto(
|
return this.historyService.toHistoryEntryDto(
|
||||||
|
@ -151,6 +168,10 @@ export class MeController {
|
||||||
@Req() req: Request,
|
@Req() req: Request,
|
||||||
@Param('note') note: string,
|
@Param('note') note: string,
|
||||||
): Promise<void> {
|
): Promise<void> {
|
||||||
|
if (!req.user) {
|
||||||
|
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||||
|
throw new InternalServerErrorException('Request did not specify user');
|
||||||
|
}
|
||||||
// ToDo: Check if user is allowed to delete note
|
// ToDo: Check if user is allowed to delete note
|
||||||
try {
|
try {
|
||||||
await this.historyService.deleteHistoryEntry(note, req.user);
|
await this.historyService.deleteHistoryEntry(note, req.user);
|
||||||
|
@ -171,6 +192,10 @@ export class MeController {
|
||||||
})
|
})
|
||||||
@ApiUnauthorizedResponse({ description: unauthorizedDescription })
|
@ApiUnauthorizedResponse({ description: unauthorizedDescription })
|
||||||
async getMyNotes(@Req() req: Request): Promise<NoteMetadataDto[]> {
|
async getMyNotes(@Req() req: Request): Promise<NoteMetadataDto[]> {
|
||||||
|
if (!req.user) {
|
||||||
|
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||||
|
throw new InternalServerErrorException('Request did not specify user');
|
||||||
|
}
|
||||||
const notes = this.notesService.getUserNotes(req.user);
|
const notes = this.notesService.getUserNotes(req.user);
|
||||||
return await Promise.all(
|
return await Promise.all(
|
||||||
(await notes).map((note) => this.notesService.toNoteMetadataDto(note)),
|
(await notes).map((note) => this.notesService.toNoteMetadataDto(note)),
|
||||||
|
@ -186,6 +211,10 @@ export class MeController {
|
||||||
})
|
})
|
||||||
@ApiUnauthorizedResponse({ description: unauthorizedDescription })
|
@ApiUnauthorizedResponse({ description: unauthorizedDescription })
|
||||||
async getMyMedia(@Req() req: Request): Promise<MediaUploadDto[]> {
|
async getMyMedia(@Req() req: Request): Promise<MediaUploadDto[]> {
|
||||||
|
if (!req.user) {
|
||||||
|
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||||
|
throw new InternalServerErrorException('Request did not specify user');
|
||||||
|
}
|
||||||
const media = await this.mediaService.listUploadsByUser(req.user);
|
const media = await this.mediaService.listUploadsByUser(req.user);
|
||||||
return media.map((media) => this.mediaService.toMediaUploadDto(media));
|
return media.map((media) => this.mediaService.toMediaUploadDto(media));
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue