From 7d05cbba1dc99b7f03af59b01041a5088e504313 Mon Sep 17 00:00:00 2001
From: kirrg001 <katharina.irrgang@googlemail.com>
Date: Wed, 30 Jan 2019 13:08:35 +0100
Subject: [PATCH] Added `notImplemented` middleware for integrations

refs #9865
---
 core/server/translations/en.json           |  3 +-
 core/server/web/api/v2/admin/middleware.js | 38 +++++++++++++++++++++-
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/core/server/translations/en.json b/core/server/translations/en.json
index 83dcc9e1f9..64a2da505c 100644
--- a/core/server/translations/en.json
+++ b/core/server/translations/en.json
@@ -314,7 +314,8 @@
         },
         "api": {
             "common": {
-                "invalidTokenStructure": "Invalid token structure"
+                "invalidTokenStructure": "Invalid token structure",
+                "notImplemented": "The server does not support the functionality required to fulfill the request."
             },
             "authentication": {
                 "setupUnableToRun": "Database missing fixture data. Please reset database and try again.",
diff --git a/core/server/web/api/v2/admin/middleware.js b/core/server/web/api/v2/admin/middleware.js
index 248261faf2..8242eec88b 100644
--- a/core/server/web/api/v2/admin/middleware.js
+++ b/core/server/web/api/v2/admin/middleware.js
@@ -1,6 +1,41 @@
+const common = require('../../../../lib/common');
 const auth = require('../../../../services/auth');
 const shared = require('../../../shared');
 
+const notImplemented = function (req, res, next) {
+    // CASE: user is logged in, allow
+    if (!req.api_key) {
+        return next();
+    }
+
+    // @NOTE: integrations have limited access for now
+    const whitelisted = {
+        // @NOTE: stable
+        posts: ['GET', 'PUT', 'DELETE', 'POST'],
+        tags: ['GET', 'PUT', 'DELETE', 'POST'],
+        uploads: ['POST'],
+        // @NOTE: experimental
+        users: ['GET'],
+        themes: ['POST']
+    };
+
+    const match = req.url.match(/^\/(\w+)\//);
+
+    if (match) {
+        const entity = match[1];
+
+        if (whitelisted[entity] && whitelisted[entity].includes(req.method)) {
+            return next();
+        }
+    }
+
+    next(new common.errors.GhostError({
+        errorType: 'NotImplementedError',
+        message: common.i18n.t('errors.api.common.notImplemented'),
+        statusCode: '501'
+    }));
+};
+
 /**
  * Authentication for private endpoints
  */
@@ -10,7 +45,8 @@ module.exports.authAdminApi = [
     shared.middlewares.updateUserLastSeen,
     shared.middlewares.api.cors,
     shared.middlewares.urlRedirects.adminRedirect,
-    shared.middlewares.prettyUrls
+    shared.middlewares.prettyUrls,
+    notImplemented
 ];
 
 /**