Infrastructure/pingvin-share
0
Fork 0
mirror of https://github.com/stonith404/pingvin-share.git synced 2025-02-19 01:55:48 -05:00
Code Issues Activity

fix: admin couldn't delete shares created by anonymous users

Browse source
This commit is contained in:
Elias Schneider 2024-05-17 15:13:56 +02:00
parent a3a7a5d9ab
commit 7afda85f03
No known key found for this signature in database
GPG key ID: 07E623B294202B6C
3 changed files with 19 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
backend/src/share/guard/shareOwner.guard.ts
View file

@ -5,9 +5,9 @@ import {
} from "@nestjs/common";
import { User } from "@prisma/client";
import { Request } from "express";
import { ConfigService } from "src/config/config.service";
import { PrismaService } from "src/prisma/prisma.service";
import { JwtGuard } from "../../auth/guard/jwt.guard";
import { ConfigService } from "src/config/config.service";
@Injectable()
export class ShareOwnerGuard extends JwtGuard {
@ -34,10 +34,20 @@ export class ShareOwnerGuard extends JwtGuard {
if (!share) throw new NotFoundException("Share not found");
// Run the JWTGuard to set the user
await super.canActivate(context);
const user = request.user as User;
// If the user is an admin, allow access
if (user?.isAdmin) return true;
// If it's a anonymous share, allow access
if (!share.creatorId) return true;
if (!(await super.canActivate(context))) return false;
// If not signed in, deny access
if (!user) return false;
return share.creatorId == (request.user as User).id;
// If the user is the creator of the share, allow access
return share.creatorId == user.id;
}
}

5
backend/src/share/share.controller.ts
View file

@ -94,8 +94,9 @@ export class ShareController {
@Delete(":id")
@UseGuards(ShareOwnerGuard)
async remove(@Param("id") id: string) {
await this.shareService.remove(id);
async remove(@Param("id") id: string, @GetUser() user: User) {
const isDeleterAdmin = user?.isAdmin === true;
await this.shareService.remove(id, isDeleterAdmin);
}
@Throttle(10, 60)

5
backend/src/share/share.service.ts
View file

@ -267,13 +267,14 @@ export class ShareService {
return share;
}
async remove(shareId: string) {
async remove(shareId: string, isDeleterAdmin = false) {
const share = await this.prisma.share.findUnique({
where: { id: shareId },
});
if (!share) throw new NotFoundException("Share not found");
if (!share.creatorId)
if (!share.creatorId && !isDeleterAdmin)
throw new ForbiddenException("Anonymous shares can't be deleted");
await this.fileService.deleteAllFiles(shareId);