mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-26 11:43:59 -05:00
NotesController: Double-check that req.user is defined
TokenAuthGuard ensures that req.user is always defined, but thanks to strict mode we have to check again. In the future, we may add a custom Request type and a custom param decorator to centralize the check. Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
parent
0a8dd454ab
commit
b962e8390a
1 changed files with 45 additions and 0 deletions
|
@ -12,6 +12,7 @@ import {
|
|||
Get,
|
||||
Header,
|
||||
HttpCode,
|
||||
InternalServerErrorException,
|
||||
NotFoundException,
|
||||
Param,
|
||||
Post,
|
||||
|
@ -88,6 +89,10 @@ export class NotesController {
|
|||
@Req() req: Request,
|
||||
@MarkdownBody() text: string,
|
||||
): Promise<NoteDto> {
|
||||
if (!req.user) {
|
||||
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||
throw new InternalServerErrorException('Request did not specify user');
|
||||
}
|
||||
// ToDo: provide user for createNoteDto
|
||||
if (!this.permissionsService.mayCreate(req.user)) {
|
||||
throw new UnauthorizedException('Creating note denied!');
|
||||
|
@ -111,6 +116,10 @@ export class NotesController {
|
|||
@Req() req: Request,
|
||||
@Param('noteIdOrAlias') noteIdOrAlias: string,
|
||||
): Promise<NoteDto> {
|
||||
if (!req.user) {
|
||||
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||
throw new InternalServerErrorException('Request did not specify user');
|
||||
}
|
||||
let note: Note;
|
||||
try {
|
||||
note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
|
||||
|
@ -144,6 +153,10 @@ export class NotesController {
|
|||
@Param('noteAlias') noteAlias: string,
|
||||
@MarkdownBody() text: string,
|
||||
): Promise<NoteDto> {
|
||||
if (!req.user) {
|
||||
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||
throw new InternalServerErrorException('Request did not specify user');
|
||||
}
|
||||
if (!this.permissionsService.mayCreate(req.user)) {
|
||||
throw new UnauthorizedException('Creating note denied!');
|
||||
}
|
||||
|
@ -175,6 +188,10 @@ export class NotesController {
|
|||
@Param('noteIdOrAlias') noteIdOrAlias: string,
|
||||
@Body() noteMediaDeletionDto: NoteMediaDeletionDto,
|
||||
): Promise<void> {
|
||||
if (!req.user) {
|
||||
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||
throw new InternalServerErrorException('Request did not specify user');
|
||||
}
|
||||
try {
|
||||
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
|
||||
if (!this.permissionsService.isOwner(req.user, note)) {
|
||||
|
@ -217,6 +234,10 @@ export class NotesController {
|
|||
@Param('noteIdOrAlias') noteIdOrAlias: string,
|
||||
@MarkdownBody() text: string,
|
||||
): Promise<NoteDto> {
|
||||
if (!req.user) {
|
||||
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||
throw new InternalServerErrorException('Request did not specify user');
|
||||
}
|
||||
try {
|
||||
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
|
||||
if (!this.permissionsService.mayWrite(req.user, note)) {
|
||||
|
@ -251,6 +272,10 @@ export class NotesController {
|
|||
@Req() req: Request,
|
||||
@Param('noteIdOrAlias') noteIdOrAlias: string,
|
||||
): Promise<string> {
|
||||
if (!req.user) {
|
||||
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||
throw new InternalServerErrorException('Request did not specify user');
|
||||
}
|
||||
try {
|
||||
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
|
||||
if (!this.permissionsService.mayRead(req.user, note)) {
|
||||
|
@ -281,6 +306,10 @@ export class NotesController {
|
|||
@Req() req: Request,
|
||||
@Param('noteIdOrAlias') noteIdOrAlias: string,
|
||||
): Promise<NoteMetadataDto> {
|
||||
if (!req.user) {
|
||||
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||
throw new InternalServerErrorException('Request did not specify user');
|
||||
}
|
||||
try {
|
||||
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
|
||||
if (!this.permissionsService.mayRead(req.user, note)) {
|
||||
|
@ -315,6 +344,10 @@ export class NotesController {
|
|||
@Param('noteIdOrAlias') noteIdOrAlias: string,
|
||||
@Body() updateDto: NotePermissionsUpdateDto,
|
||||
): Promise<NotePermissionsDto> {
|
||||
if (!req.user) {
|
||||
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||
throw new InternalServerErrorException('Request did not specify user');
|
||||
}
|
||||
try {
|
||||
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
|
||||
if (!this.permissionsService.isOwner(req.user, note)) {
|
||||
|
@ -348,6 +381,10 @@ export class NotesController {
|
|||
@Req() req: Request,
|
||||
@Param('noteIdOrAlias') noteIdOrAlias: string,
|
||||
): Promise<RevisionMetadataDto[]> {
|
||||
if (!req.user) {
|
||||
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||
throw new InternalServerErrorException('Request did not specify user');
|
||||
}
|
||||
try {
|
||||
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
|
||||
if (!this.permissionsService.mayRead(req.user, note)) {
|
||||
|
@ -384,6 +421,10 @@ export class NotesController {
|
|||
@Param('noteIdOrAlias') noteIdOrAlias: string,
|
||||
@Param('revisionId') revisionId: number,
|
||||
): Promise<RevisionDto> {
|
||||
if (!req.user) {
|
||||
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||
throw new InternalServerErrorException('Request did not specify user');
|
||||
}
|
||||
try {
|
||||
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
|
||||
if (!this.permissionsService.mayRead(req.user, note)) {
|
||||
|
@ -415,6 +456,10 @@ export class NotesController {
|
|||
@Req() req: Request,
|
||||
@Param('noteIdOrAlias') noteIdOrAlias: string,
|
||||
): Promise<MediaUploadDto[]> {
|
||||
if (!req.user) {
|
||||
// We should never reach this, as the TokenAuthGuard handles missing user info
|
||||
throw new InternalServerErrorException('Request did not specify user');
|
||||
}
|
||||
try {
|
||||
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
|
||||
if (!this.permissionsService.mayRead(req.user, note)) {
|
||||
|
|
Loading…
Reference in a new issue