github/overleaf
1
0
Fork 0
mirror of https://github.com/overleaf/overleaf.git synced 2024-11-21 20:47:08 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #7258 from overleaf/jpa-restrict-history-access

Browse source 
[web] block restricted token users from accessing project history

GitOrigin-RevId: 18e6d58150be3846bc87e292108c1a09c553c9be
This commit is contained in:
Jakob Ackermann 2022-03-28 13:23:15 +01:00 committed by Copybot
parent f9b3526b03
commit 5f5b17c6e9
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
services/web/app/src/router.js
View file

@ -580,24 +580,28 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
) )
webRouter.get( webRouter.get(
'/project/:Project_id/updates', '/project/:Project_id/updates',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject, AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi, HistoryController.selectHistoryApi,
HistoryController.proxyToHistoryApiAndInjectUserDetails HistoryController.proxyToHistoryApiAndInjectUserDetails
) )
webRouter.get( webRouter.get(
'/project/:Project_id/doc/:doc_id/diff', '/project/:Project_id/doc/:doc_id/diff',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject, AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi, HistoryController.selectHistoryApi,
HistoryController.proxyToHistoryApi HistoryController.proxyToHistoryApi
) )
webRouter.get( webRouter.get(
'/project/:Project_id/diff', '/project/:Project_id/diff',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject, AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi, HistoryController.selectHistoryApi,
HistoryController.proxyToHistoryApiAndInjectUserDetails HistoryController.proxyToHistoryApiAndInjectUserDetails
) )
webRouter.get( webRouter.get(
'/project/:Project_id/filetree/diff', '/project/:Project_id/filetree/diff',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject, AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi, HistoryController.selectHistoryApi,
HistoryController.proxyToHistoryApi HistoryController.proxyToHistoryApi
@ -625,6 +629,7 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
maxRequests: 30, maxRequests: 30,
timeInterval: 60 * 60, timeInterval: 60 * 60,
}), }),
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject, AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.downloadZipOfVersion HistoryController.downloadZipOfVersion
) )
@ -636,6 +641,7 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
webRouter.get( webRouter.get(
'/project/:Project_id/labels', '/project/:Project_id/labels',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject, AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi, HistoryController.selectHistoryApi,
HistoryController.ensureProjectHistoryEnabled, HistoryController.ensureProjectHistoryEnabled,