accessTokenParser csrfVerify

src/server/routes/apiv3/user-group-relation.js

@@ -6,15 +6,19 @@ const express = require('express');
 
 const router = express.Router();
 
-const middleware = require('../../util/middlewares');
-
-const { loginRequired, adminRequired, formValid } = middleware;
+const {
+  accessTokenParser,
+  loginRequired,
+  adminRequired,
+} = require('../../util/middlewares');
 
 const ApiResponse = require('../../util/apiResponse');
 
 module.exports = (crowi) => {
   const { UserGroup, UserGroupRelation } = crowi.models;
 
+  router.use('/', accessTokenParser(crowi));
+
   router.get('/', loginRequired(crowi), adminRequired(), async(req, res) => {
     // TODO: filter with querystring? or body
     try {

src/server/routes/apiv3/user-group.js

@@ -10,13 +10,21 @@ const { body, param } = require('express-validator/check');
 
 const validator = {};
 
-const { loginRequired, adminRequired, formValid } = require('../../util/middlewares');
+const {
+  accessTokenParser,
+  csrfVerify,
+  loginRequired,
+  adminRequired,
+  formValid,
+} = require('../../util/middlewares');
 
 const ApiResponse = require('../../util/apiResponse');
 
 module.exports = (crowi) => {
   const { UserGroup, UserGroupRelation } = crowi.models;
 
+  router.use('/', accessTokenParser(crowi));
+
   router.get('/', loginRequired(crowi), adminRequired(), async(req, res) => {
     // TODO: filter with querystring
     try {
@@ -33,7 +41,7 @@ module.exports = (crowi) => {
     body('name').trim().exists(),
   ];
 
-  router.post('/create', loginRequired(crowi), adminRequired(), validator.create, formValid(), async(req, res) => {
+  router.post('/create', loginRequired(crowi), adminRequired(), csrfVerify(crowi), validator.create, formValid(), async(req, res) => {
     const { name } = req.body;
 
     try {
@@ -55,7 +63,7 @@ module.exports = (crowi) => {
     body('transferToUserGroupId').trim(),
   ];
 
-  router.post('/:id/delete', loginRequired(crowi), adminRequired(), validator.delete, formValid(), async(req, res) => {
+  router.post('/:id/delete', loginRequired(crowi), adminRequired(), csrfVerify(crowi), validator.delete, formValid(), async(req, res) => {
     const { id: deleteGroupId } = req.params;
     const { actionName, transferToUserGroupId } = req.body;
 
@@ -72,11 +80,11 @@ module.exports = (crowi) => {
   });
 
   // return one group with the id
-  // router.get('/:id', loginRequired(crowi), adminRequired(), async(req, res) => {
+  // router.get('/:id', async(req, res) => {
   // });
 
   // update one group with the id
-  // router.post('/:id/update', loginRequired(crowi), adminRequired(), async(req, res) => {
+  // router.post('/:id/update', async(req, res) => {
   // });
 
   router.get('/:id/users', loginRequired(crowi), adminRequired(), async(req, res) => {