mirror/spacedeck-open
1
0
Fork 0
mirror of https://github.com/spacedeck/spacedeck-open.git synced 2025-12-15 17:37:30 +01:00
Code Issues Projects Releases Wiki Activity

security: prevent leak of creator information in space responses; ensure home folder id is set when creating space

Browse Source
This commit is contained in:
mntmn
2020-05-11 18:28:12 +02:00
committed by mntmn
parent e61bc1e23f
commit effeb6c809
2 changed files with 16 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
models/db.js
View File

@@ -51,6 +51,17 @@ module.exports = {
updated_at: {type: Sequelize.DATE, defaultValue: Sequelize.NOW} updated_at: {type: Sequelize.DATE, defaultValue: Sequelize.NOW}
}), }),
CreatorSafeInclude: function(db) {
return {
model: this.User,
as: 'creator',
attributes: ['_id','email','nickname',
'avatar_original_uri',
'avatar_thumb_uri',
'created_at','updated_at']
};
},
Session: sequelize.define('session', { Session: sequelize.define('session', {
token: {type: Sequelize.STRING, primaryKey: true}, token: {type: Sequelize.STRING, primaryKey: true},
user_id: Sequelize.STRING, user_id: Sequelize.STRING,

10
routes/api/spaces.js
View File

@@ -71,7 +71,7 @@ router.get('/', function(req, res, next) {
{"_id": {[Op.in]: spaceIds}}, {"_id": {[Op.in]: spaceIds}},
{"parent_space_id": {[Op.in]: spaceIds}}], {"parent_space_id": {[Op.in]: spaceIds}}],
name: {[Op.like]: "%"+req.query.search+"%"} name: {[Op.like]: "%"+req.query.search+"%"}
}, include: ['creator']}; }, include: [db.CreatorSafeInclude(db)]};
db.Space db.Space
.findAll(q) .findAll(q)
@@ -87,7 +87,6 @@ router.get('/', function(req, res, next) {
.findOne({where: { .findOne({where: {
_id: req.query.parent_space_id _id: req.query.parent_space_id
}}) }})
//.populate('creator', userMapping)
.then(function(space) { .then(function(space) {
if (space) { if (space) {
db.getUserRoleInSpace(space, req.user, function(role) { db.getUserRoleInSpace(space, req.user, function(role) {
@@ -101,7 +100,7 @@ router.get('/', function(req, res, next) {
db.Space db.Space
.findAll({where:{ .findAll({where:{
parent_space_id: req.query.parent_space_id parent_space_id: req.query.parent_space_id
}, include:['creator']}) }, include:[db.CreatorSafeInclude(db)]})
.then(function(spaces) { .then(function(spaces) {
res.status(200).json(spaces); res.status(200).json(spaces);
}); });
@@ -147,7 +146,7 @@ router.get('/', function(req, res, next) {
}; };
db.Space db.Space
.findAll({where: q, include: ['creator']}) .findAll({where: q, include: [db.CreatorSafeInclude(db)]})
.then(function(spaces) { .then(function(spaces) {
var updatedSpaces = spaces.map(function(s) { var updatedSpaces = spaces.map(function(s) {
var spaceObj = db.spaceToObject(s); var spaceObj = db.spaceToObject(s);
@@ -169,7 +168,7 @@ router.post('/', function(req, res, next) {
attrs._id = uuidv4(); attrs._id = uuidv4();
attrs.creator_id = req.user._id; attrs.creator_id = req.user._id;
attrs.edit_hash = crypto.randomBytes(64).toString('hex').substring(0, 7); attrs.edit_hash = crypto.randomBytes(64).toString('hex').substring(0, 7);
attrs.edit_slug = slug(attrs.name); attrs.edit_slug = attrs.edit_slug || slug(attrs.name);
attrs.access_mode = "private"; attrs.access_mode = "private";
db.Space.create(attrs).then(createdSpace => { db.Space.create(attrs).then(createdSpace => {
@@ -211,6 +210,7 @@ router.post('/', function(req, res, next) {
} }
}); });
} else { } else {
attrs.parent_space_id = req.user.home_folder_id;
createSpace(); createSpace();
} }