From b962e8390a8e177a99e67e88f2f7b7dec4813f2c Mon Sep 17 00:00:00 2001 From: David Mehren Date: Thu, 29 Apr 2021 18:12:20 +0200 Subject: [PATCH] NotesController: Double-check that req.user is defined TokenAuthGuard ensures that req.user is always defined, but thanks to strict mode we have to check again. In the future, we may add a custom Request type and a custom param decorator to centralize the check. Signed-off-by: David Mehren --- src/api/public/notes/notes.controller.ts | 45 ++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/src/api/public/notes/notes.controller.ts b/src/api/public/notes/notes.controller.ts index f32ba7d02..c87957850 100644 --- a/src/api/public/notes/notes.controller.ts +++ b/src/api/public/notes/notes.controller.ts @@ -12,6 +12,7 @@ import { Get, Header, HttpCode, + InternalServerErrorException, NotFoundException, Param, Post, @@ -88,6 +89,10 @@ export class NotesController { @Req() req: Request, @MarkdownBody() text: string, ): Promise { + if (!req.user) { + // We should never reach this, as the TokenAuthGuard handles missing user info + throw new InternalServerErrorException('Request did not specify user'); + } // ToDo: provide user for createNoteDto if (!this.permissionsService.mayCreate(req.user)) { throw new UnauthorizedException('Creating note denied!'); @@ -111,6 +116,10 @@ export class NotesController { @Req() req: Request, @Param('noteIdOrAlias') noteIdOrAlias: string, ): Promise { + if (!req.user) { + // We should never reach this, as the TokenAuthGuard handles missing user info + throw new InternalServerErrorException('Request did not specify user'); + } let note: Note; try { note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); @@ -144,6 +153,10 @@ export class NotesController { @Param('noteAlias') noteAlias: string, @MarkdownBody() text: string, ): Promise { + if (!req.user) { + // We should never reach this, as the TokenAuthGuard handles missing user info + throw new InternalServerErrorException('Request did not specify user'); + } if (!this.permissionsService.mayCreate(req.user)) { throw new UnauthorizedException('Creating note denied!'); } @@ -175,6 +188,10 @@ export class NotesController { @Param('noteIdOrAlias') noteIdOrAlias: string, @Body() noteMediaDeletionDto: NoteMediaDeletionDto, ): Promise { + if (!req.user) { + // We should never reach this, as the TokenAuthGuard handles missing user info + throw new InternalServerErrorException('Request did not specify user'); + } try { const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); if (!this.permissionsService.isOwner(req.user, note)) { @@ -217,6 +234,10 @@ export class NotesController { @Param('noteIdOrAlias') noteIdOrAlias: string, @MarkdownBody() text: string, ): Promise { + if (!req.user) { + // We should never reach this, as the TokenAuthGuard handles missing user info + throw new InternalServerErrorException('Request did not specify user'); + } try { const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); if (!this.permissionsService.mayWrite(req.user, note)) { @@ -251,6 +272,10 @@ export class NotesController { @Req() req: Request, @Param('noteIdOrAlias') noteIdOrAlias: string, ): Promise { + if (!req.user) { + // We should never reach this, as the TokenAuthGuard handles missing user info + throw new InternalServerErrorException('Request did not specify user'); + } try { const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); if (!this.permissionsService.mayRead(req.user, note)) { @@ -281,6 +306,10 @@ export class NotesController { @Req() req: Request, @Param('noteIdOrAlias') noteIdOrAlias: string, ): Promise { + if (!req.user) { + // We should never reach this, as the TokenAuthGuard handles missing user info + throw new InternalServerErrorException('Request did not specify user'); + } try { const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); if (!this.permissionsService.mayRead(req.user, note)) { @@ -315,6 +344,10 @@ export class NotesController { @Param('noteIdOrAlias') noteIdOrAlias: string, @Body() updateDto: NotePermissionsUpdateDto, ): Promise { + if (!req.user) { + // We should never reach this, as the TokenAuthGuard handles missing user info + throw new InternalServerErrorException('Request did not specify user'); + } try { const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); if (!this.permissionsService.isOwner(req.user, note)) { @@ -348,6 +381,10 @@ export class NotesController { @Req() req: Request, @Param('noteIdOrAlias') noteIdOrAlias: string, ): Promise { + if (!req.user) { + // We should never reach this, as the TokenAuthGuard handles missing user info + throw new InternalServerErrorException('Request did not specify user'); + } try { const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); if (!this.permissionsService.mayRead(req.user, note)) { @@ -384,6 +421,10 @@ export class NotesController { @Param('noteIdOrAlias') noteIdOrAlias: string, @Param('revisionId') revisionId: number, ): Promise { + if (!req.user) { + // We should never reach this, as the TokenAuthGuard handles missing user info + throw new InternalServerErrorException('Request did not specify user'); + } try { const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); if (!this.permissionsService.mayRead(req.user, note)) { @@ -415,6 +456,10 @@ export class NotesController { @Req() req: Request, @Param('noteIdOrAlias') noteIdOrAlias: string, ): Promise { + if (!req.user) { + // We should never reach this, as the TokenAuthGuard handles missing user info + throw new InternalServerErrorException('Request did not specify user'); + } try { const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); if (!this.permissionsService.mayRead(req.user, note)) {