Главная Обзор Помощь
Вход
wiki
/
weseek__growi
зеркало из https://github.com/weseek/growi
2
0
Ответвить 0
Файлы Задачи 0 Вики
Просмотр исходного кода

create certifyUserOperationOtherThenYourOwn middleware

Shun Miyazawa 3 лет назад
Родитель
ea71ee70d8
Сommit
22418207f7
1 измененных файлов с 16 добавлено и 3 удалено
Разделённый вид Показать статистику Diff
  1. 16 3
      packages/app/src/server/routes/apiv3/users.js

+ 16 - 3
packages/app/src/server/routes/apiv3/users.js
Просмотреть файл 

@@ -134,6 +134,19 @@ module.exports = (crowi) => {
 
     query('options').optional().isString().withMessage('options must be string'),
 
   ];
 
 
+  // express middleware
 
+  const certifyUserOperationOtherThenYourOwn = (req, res, next) => {
 
+    const { id } = req.params;
 
+
 
+    if (req.user._id.toString() === id) {
 
+      const msg = 'This API is not available for your own users';
 
+      logger.error(msg);
 
+      return res.apiv3Err(new ErrorV3(msg), 400);
 
+    }
 
+
 
+    next();
 
+  };
 
+
 
   const sendEmailByUserList = async(userList) => {
 
     const { appService, mailService } = crowi;
 
     const appTitle = appService.getAppTitle();
 
@@ -509,7 +522,7 @@ module.exports = (crowi) => {
 
    *                      type: object
 
    *                      description: data of removed admin user
 
    */
 
-  router.put('/:id/removeAdmin', loginRequiredStrictly, adminRequired, addActivity, async(req, res) => {
 
+  router.put('/:id/removeAdmin', loginRequiredStrictly, adminRequired, certifyUserOperationOtherThenYourOwn, addActivity, async(req, res) => {
 
     const { id } = req.params;
 
 
     try {
 
@@ -605,7 +618,7 @@ module.exports = (crowi) => {
 
    *                      type: object
 
    *                      description: data of deactivate user
 
    */
 
-  router.put('/:id/deactivate', loginRequiredStrictly, adminRequired, addActivity, async(req, res) => {
 
+  router.put('/:id/deactivate', loginRequiredStrictly, adminRequired, certifyUserOperationOtherThenYourOwn, addActivity, async(req, res) => {
 
     const { id } = req.params;
 
 
     try {
 
@@ -649,7 +662,7 @@ module.exports = (crowi) => {
 
    *                      type: object
 
    *                      description: data of delete user
 
    */
 
-  router.delete('/:id/remove', loginRequiredStrictly, adminRequired, addActivity, async(req, res) => {
 
+  router.delete('/:id/remove', loginRequiredStrictly, adminRequired, certifyUserOperationOtherThenYourOwn, addActivity, async(req, res) => {
 
     const { id } = req.params;
 
 
     try {