feat: checkNoteIdOrAlias in more alias service methods

This should prevent any interaction by a forbidden id Signed-off-by: Philip Molares <philip.molares@udo.edu>
2025-04-15 15:36:30 +00:00 · 2022-02-06 22:09:22 +01:00 · 2022-02-06 22:09:22 +01:00 · c891a95588
commit c891a95588
parent 6269c7f7bc
4 changed files with 17 additions and 17 deletions
--- a/src/api/private/alias/alias.controller.ts
+++ b/src/api/private/alias/alias.controller.ts
@ -21,7 +21,6 @@ import {
  ApiNotFoundResponse,
  ApiTags,
  ApiUnauthorizedResponse,
-  ApiUnprocessableEntityResponse,
 } from '@nestjs/swagger';

 import { SessionGuard } from '../../../identity/session.guard';
@ -39,7 +38,6 @@ import {
  conflictDescription,
  notFoundDescription,
  unauthorizedDescription,
-  unprocessableEntityDescription,
 } from '../../utils/descriptions';
 import { RequestUser } from '../../utils/request-user.decorator';

@ -58,6 +56,7 @@ export class AliasController {
  }

  @Post()
+  @ApiBadRequestResponse({ description: badRequestDescription })
  @ApiConflictResponse({ description: conflictDescription })
  @ApiUnauthorizedResponse({ description: unauthorizedDescription })
  @ApiNotFoundResponse({ description: notFoundDescription })
@ -104,8 +103,8 @@ export class AliasController {
  @HttpCode(204)
  @ApiUnauthorizedResponse({ description: unauthorizedDescription })
  @ApiNotFoundResponse({ description: notFoundDescription })
-  @ApiUnprocessableEntityResponse({
-    description: unprocessableEntityDescription,
+  @ApiBadRequestResponse({
+    description: badRequestDescription,
  })
  async removeAlias(
    @RequestUser() user: User,
--- a/src/api/public/alias/alias.controller.ts
+++ b/src/api/public/alias/alias.controller.ts
@ -16,11 +16,11 @@ import {
  UseGuards,
 } from '@nestjs/common';
 import {
+  ApiBadRequestResponse,
  ApiNoContentResponse,
  ApiOkResponse,
  ApiSecurity,
  ApiTags,
-  ApiUnprocessableEntityResponse,
 } from '@nestjs/swagger';

 import { TokenAuthGuard } from '../../../auth/token.strategy';
@ -32,7 +32,7 @@ import { AliasService } from '../../../notes/alias.service';
 import { NotesService } from '../../../notes/notes.service';
 import { PermissionsService } from '../../../permissions/permissions.service';
 import { User } from '../../../users/user.entity';
-import { unprocessableEntityDescription } from '../../utils/descriptions';
+import { badRequestDescription } from '../../utils/descriptions';
 import { FullApi } from '../../utils/fullapi-decorator';
 import { RequestUser } from '../../utils/request-user.decorator';

@ -103,8 +103,8 @@ export class AliasController {
    description: 'The alias was deleted',
  })
  @FullApi
-  @ApiUnprocessableEntityResponse({
-    description: unprocessableEntityDescription,
+  @ApiBadRequestResponse({
+    description: badRequestDescription,
  })
  async removeAlias(
    @RequestUser() user: User,
--- a/src/notes/alias.service.ts
+++ b/src/notes/alias.service.ts
@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
 *
 * SPDX-License-Identifier: AGPL-3.0-only
 */
@ -36,6 +36,7 @@ export class AliasService {
   * @param {Note} note - the note to add the alias to
   * @param {string} alias - the alias to add to the note
   * @throws {AlreadyInDBError} the alias is already in use.
+   * @throws {ForbiddenIdError} the requested id or alias is forbidden
   * @return {Alias} the new alias
   */
  async addAlias(note: Note, alias: string): Promise<Alias> {
@ -79,6 +80,7 @@ export class AliasService {
   * Set the specified alias as the primary alias of the note.
   * @param {Note} note - the note to change the primary alias
   * @param {string} alias - the alias to be the new primary alias of the note
+   * @throws {ForbiddenIdError} the requested id or alias is forbidden
   * @throws {NotInDBError} the alias is not part of this note.
   * @return {Alias} the new primary alias
   */
@ -87,6 +89,8 @@ export class AliasService {
    let oldPrimaryId = '';
    let newPrimaryId = '';

+    this.notesService.checkNoteIdOrAlias(alias);
+
    for (const anAlias of await note.aliases) {
      // found old primary
      if (anAlias.primary) {
@ -130,10 +134,12 @@ export class AliasService {
   * Remove the specified alias from the note.
   * @param {Note} note - the note to remove the alias from
   * @param {string} alias - the alias to remove from the note
+   * @throws {ForbiddenIdError} the requested id or alias is forbidden
   * @throws {NotInDBError} the alias is not part of this note.
   * @throws {PrimaryAliasDeletionForbiddenError} the primary alias can only be deleted if it's the only alias
   */
  async removeAlias(note: Note, alias: string): Promise<Note> {
+    this.notesService.checkNoteIdOrAlias(alias);
    const primaryAlias = await getPrimaryAlias(note);

    if (primaryAlias === alias && (await note.aliases).length !== 1) {
--- a/src/notes/notes.service.ts
+++ b/src/notes/notes.service.ts
@ -157,20 +157,15 @@ export class NotesService {
   * @param {string} noteIdOrAlias - the notes id or alias
   * @return {Note} the note
   * @throws {NotInDBError} there is no note with this id or alias
+   * @throws {ForbiddenIdError} the requested id or alias is forbidden
   */
  async getNoteByIdOrAlias(noteIdOrAlias: string): Promise<Note> {
    this.logger.debug(
      `Trying to find note '${noteIdOrAlias}'`,
      'getNoteByIdOrAlias',
    );
-    try {
-      this.checkNoteIdOrAlias(noteIdOrAlias);
-    } catch (e) {
-      if (e instanceof ForbiddenIdError) {
-        throw new NotInDBError(e.message);
-      }
-      throw e;
-    }
+
+    this.checkNoteIdOrAlias(noteIdOrAlias);

    /**
     * This query gets the note's aliases, owner, groupPermissions (and the groups), userPermissions (and the users) and tags and