github/overleaf
1
0
Fork 0
mirror of https://github.com/overleaf/overleaf.git synced 2024-11-21 20:47:08 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #7258 from overleaf/jpa-restrict-history-access

Browse source 
[web] block restricted token users from accessing project history

GitOrigin-RevId: 18e6d58150be3846bc87e292108c1a09c553c9be
This commit is contained in:
Jakob Ackermann 2022-03-28 13:23:15 +01:00 committed by Copybot
parent f9b3526b03
commit 5f5b17c6e9
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
services/web/app/src/router.js
View file

@ -580,24 +580,28 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
)
webRouter.get(
'/project/:Project_id/updates',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi,
HistoryController.proxyToHistoryApiAndInjectUserDetails
)
webRouter.get(
'/project/:Project_id/doc/:doc_id/diff',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi,
HistoryController.proxyToHistoryApi
)
webRouter.get(
'/project/:Project_id/diff',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi,
HistoryController.proxyToHistoryApiAndInjectUserDetails
)
webRouter.get(
'/project/:Project_id/filetree/diff',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi,
HistoryController.proxyToHistoryApi
@ -625,6 +629,7 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
maxRequests: 30,
timeInterval: 60 * 60,
}),
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.downloadZipOfVersion
)
@ -636,6 +641,7 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
webRouter.get(
'/project/:Project_id/labels',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi,
HistoryController.ensureProjectHistoryEnabled,