mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-29 16:23:39 -05:00
Merge pull request #7258 from overleaf/jpa-restrict-history-access
[web] block restricted token users from accessing project history GitOrigin-RevId: 18e6d58150be3846bc87e292108c1a09c553c9be
This commit is contained in:
parent
f9b3526b03
commit
5f5b17c6e9
1 changed files with 6 additions and 0 deletions
|
@ -580,24 +580,28 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
|
||||||
)
|
)
|
||||||
webRouter.get(
|
webRouter.get(
|
||||||
'/project/:Project_id/updates',
|
'/project/:Project_id/updates',
|
||||||
|
AuthorizationMiddleware.blockRestrictedUserFromProject,
|
||||||
AuthorizationMiddleware.ensureUserCanReadProject,
|
AuthorizationMiddleware.ensureUserCanReadProject,
|
||||||
HistoryController.selectHistoryApi,
|
HistoryController.selectHistoryApi,
|
||||||
HistoryController.proxyToHistoryApiAndInjectUserDetails
|
HistoryController.proxyToHistoryApiAndInjectUserDetails
|
||||||
)
|
)
|
||||||
webRouter.get(
|
webRouter.get(
|
||||||
'/project/:Project_id/doc/:doc_id/diff',
|
'/project/:Project_id/doc/:doc_id/diff',
|
||||||
|
AuthorizationMiddleware.blockRestrictedUserFromProject,
|
||||||
AuthorizationMiddleware.ensureUserCanReadProject,
|
AuthorizationMiddleware.ensureUserCanReadProject,
|
||||||
HistoryController.selectHistoryApi,
|
HistoryController.selectHistoryApi,
|
||||||
HistoryController.proxyToHistoryApi
|
HistoryController.proxyToHistoryApi
|
||||||
)
|
)
|
||||||
webRouter.get(
|
webRouter.get(
|
||||||
'/project/:Project_id/diff',
|
'/project/:Project_id/diff',
|
||||||
|
AuthorizationMiddleware.blockRestrictedUserFromProject,
|
||||||
AuthorizationMiddleware.ensureUserCanReadProject,
|
AuthorizationMiddleware.ensureUserCanReadProject,
|
||||||
HistoryController.selectHistoryApi,
|
HistoryController.selectHistoryApi,
|
||||||
HistoryController.proxyToHistoryApiAndInjectUserDetails
|
HistoryController.proxyToHistoryApiAndInjectUserDetails
|
||||||
)
|
)
|
||||||
webRouter.get(
|
webRouter.get(
|
||||||
'/project/:Project_id/filetree/diff',
|
'/project/:Project_id/filetree/diff',
|
||||||
|
AuthorizationMiddleware.blockRestrictedUserFromProject,
|
||||||
AuthorizationMiddleware.ensureUserCanReadProject,
|
AuthorizationMiddleware.ensureUserCanReadProject,
|
||||||
HistoryController.selectHistoryApi,
|
HistoryController.selectHistoryApi,
|
||||||
HistoryController.proxyToHistoryApi
|
HistoryController.proxyToHistoryApi
|
||||||
|
@ -625,6 +629,7 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
|
||||||
maxRequests: 30,
|
maxRequests: 30,
|
||||||
timeInterval: 60 * 60,
|
timeInterval: 60 * 60,
|
||||||
}),
|
}),
|
||||||
|
AuthorizationMiddleware.blockRestrictedUserFromProject,
|
||||||
AuthorizationMiddleware.ensureUserCanReadProject,
|
AuthorizationMiddleware.ensureUserCanReadProject,
|
||||||
HistoryController.downloadZipOfVersion
|
HistoryController.downloadZipOfVersion
|
||||||
)
|
)
|
||||||
|
@ -636,6 +641,7 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
|
||||||
|
|
||||||
webRouter.get(
|
webRouter.get(
|
||||||
'/project/:Project_id/labels',
|
'/project/:Project_id/labels',
|
||||||
|
AuthorizationMiddleware.blockRestrictedUserFromProject,
|
||||||
AuthorizationMiddleware.ensureUserCanReadProject,
|
AuthorizationMiddleware.ensureUserCanReadProject,
|
||||||
HistoryController.selectHistoryApi,
|
HistoryController.selectHistoryApi,
|
||||||
HistoryController.ensureProjectHistoryEnabled,
|
HistoryController.ensureProjectHistoryEnabled,
|
||||||
|
|
Loading…
Reference in a new issue