Only show user list to logged in users with appropriate permissions

fumiX · Aug 1, 2024 · ecc6031 · ecc6031
1 parent f7f401b
commit ecc6031
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 13 deletions.
diff --git a/client/src/util/api-client.ts b/client/src/util/api-client.ts
@@ -90,7 +90,7 @@ export class AuthEndpoints {
   static async getLoggedInUser(): Promise<LoggedInUserInfo> {
     const token = loadIdToken();
     if (token) {
-      return callServer<null, JsonMimeType, LoggedInUserInfo>("/api/auth/loggedInUser/", "POST", "application/json");
+      return callServer<null, JsonMimeType, LoggedInUserInfo>("/api/utility/loggedInUser", "POST", "application/json");
     }
     return Promise.reject();
   }

diff --git a/server/src/routes/admin.ts b/server/src/routes/admin.ts
@@ -1,11 +1,17 @@
-import { toProviderId, UserWithOAuthProviders } from "@fumix/fu-blog-common";
+import { LoggedInUserInfo, toProviderId, UserWithOAuthProviders } from "@fumix/fu-blog-common";
+import { authMiddleware } from "../service/middleware/auth.js";
 import express, { Request, Response, Router } from "express";
 import { AppDataSource } from "../data-source.js";
 import { OAuthAccountEntity } from "../entity/OAuthAccount.entity.js";
 
 const router: Router = express.Router();
 
-router.get("/users", async (req, res, next) => {
+router.get("/users", authMiddleware, async (req, res, next) => {
+  const loggedInUser: LoggedInUserInfo | undefined = await req.loggedInUser?.();
+  if (loggedInUser?.permissions?.canEditUserRoles ?? true) {
+    return res.status(401).json({ message: "Unauthorized" });
+  }
+
   await AppDataSource.manager
     .getRepository(OAuthAccountEntity)
     .find({ relations: { user: true }, order: { user: { id: "ASC" } } })

diff --git a/server/src/routes/auth.ts b/server/src/routes/auth.ts
@@ -97,16 +97,6 @@ async function getAuthorizationUrl(
   }
 }
 
-router.post("/loggedInUser", authMiddleware, async (req, res) => {
-  const account = await req.loggedInUser?.();
-
-  if (account) {
-    res.status(200).json(account);
-  } else {
-    res.status(403).json({ error: "Unauthorized" });
-  }
-});
-
 /**
  * Endpoint to get a {@link OAuthUserInfoDto}.
  *

diff --git a/server/src/routes/utility.ts b/server/src/routes/utility.ts
@@ -116,4 +116,14 @@ router.post("/dallEGenerateImage", authMiddleware, async (req, res, next) => {
     .catch((e) => res.status(502).json({ error: e }));
 });
 
+router.post("/loggedInUser", authMiddleware, async (req, res) => {
+  const account = await req.loggedInUser?.();
+
+  if (account) {
+    res.status(200).json(account);
+  } else {
+    res.status(403).json({ error: "Unauthorized" });
+  }
+});
+
 export default router;