From ecc6031ac3c8016a80f7ca1e787aada882001609 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Florian=20Sch=C3=A4fer?= <florian.schaefer@fumix.de>
Date: Thu, 1 Aug 2024 11:36:51 +0200
Subject: [PATCH] Only show user list to logged in users with appropriate
 permissions

---
 client/src/util/api-client.ts |  2 +-
 server/src/routes/admin.ts    | 10 ++++++++--
 server/src/routes/auth.ts     | 10 ----------
 server/src/routes/utility.ts  | 10 ++++++++++
 4 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/client/src/util/api-client.ts b/client/src/util/api-client.ts
index adb2f79..a5d954f 100644
--- a/client/src/util/api-client.ts
+++ b/client/src/util/api-client.ts
@@ -90,7 +90,7 @@ export class AuthEndpoints {
   static async getLoggedInUser(): Promise<LoggedInUserInfo> {
     const token = loadIdToken();
     if (token) {
-      return callServer<null, JsonMimeType, LoggedInUserInfo>("/api/auth/loggedInUser/", "POST", "application/json");
+      return callServer<null, JsonMimeType, LoggedInUserInfo>("/api/utility/loggedInUser", "POST", "application/json");
     }
     return Promise.reject();
   }
diff --git a/server/src/routes/admin.ts b/server/src/routes/admin.ts
index f0580cb..900b774 100644
--- a/server/src/routes/admin.ts
+++ b/server/src/routes/admin.ts
@@ -1,11 +1,17 @@
-import { toProviderId, UserWithOAuthProviders } from "@fumix/fu-blog-common";
+import { LoggedInUserInfo, toProviderId, UserWithOAuthProviders } from "@fumix/fu-blog-common";
+import { authMiddleware } from "../service/middleware/auth.js";
 import express, { Request, Response, Router } from "express";
 import { AppDataSource } from "../data-source.js";
 import { OAuthAccountEntity } from "../entity/OAuthAccount.entity.js";
 
 const router: Router = express.Router();
 
-router.get("/users", async (req, res, next) => {
+router.get("/users", authMiddleware, async (req, res, next) => {
+  const loggedInUser: LoggedInUserInfo | undefined = await req.loggedInUser?.();
+  if (loggedInUser?.permissions?.canEditUserRoles ?? true) {
+    return res.status(401).json({ message: "Unauthorized" });
+  }
+
   await AppDataSource.manager
     .getRepository(OAuthAccountEntity)
     .find({ relations: { user: true }, order: { user: { id: "ASC" } } })
diff --git a/server/src/routes/auth.ts b/server/src/routes/auth.ts
index 9c1b266..6023fd7 100644
--- a/server/src/routes/auth.ts
+++ b/server/src/routes/auth.ts
@@ -97,16 +97,6 @@ async function getAuthorizationUrl(
   }
 }
 
-router.post("/loggedInUser", authMiddleware, async (req, res) => {
-  const account = await req.loggedInUser?.();
-
-  if (account) {
-    res.status(200).json(account);
-  } else {
-    res.status(403).json({ error: "Unauthorized" });
-  }
-});
-
 /**
  * Endpoint to get a {@link OAuthUserInfoDto}.
  *
diff --git a/server/src/routes/utility.ts b/server/src/routes/utility.ts
index d07b274..ffe5362 100644
--- a/server/src/routes/utility.ts
+++ b/server/src/routes/utility.ts
@@ -116,4 +116,14 @@ router.post("/dallEGenerateImage", authMiddleware, async (req, res, next) => {
     .catch((e) => res.status(502).json({ error: e }));
 });
 
+router.post("/loggedInUser", authMiddleware, async (req, res) => {
+  const account = await req.loggedInUser?.();
+
+  if (account) {
+    res.status(200).json(account);
+  } else {
+    res.status(403).json({ error: "Unauthorized" });
+  }
+});
+
 export default router;