feat: add access token parser to markdown settings routes for enhanced security

apps/app/src/server/routes/apiv3/markdown-setting.js

@@ -1,13 +1,14 @@
+import { SCOPE } from '@growi/core/dist/interfaces';
 import { ErrorV3 } from '@growi/core/dist/models';
 
 import { SupportedAction } from '~/interfaces/activity';
+import { accessTokenParser } from '~/server/middlewares/access-token-parser';
 import { configManager } from '~/server/service/config-manager';
 import loggerFactory from '~/utils/logger';
 
 import { generateAddActivityMiddleware } from '../../middlewares/add-activity';
 import { apiV3FormValidator } from '../../middlewares/apiv3-form-validator';
 
-
 const logger = loggerFactory('growi:routes:apiv3:markdown-setting');
 
 const express = require('express');
@@ -149,8 +150,7 @@ module.exports = (crowi) => {
    *                      description: markdown params
    *                      $ref: '#/components/schemas/MarkdownParams'
    */
-  // TODO: 167279
-  router.get('/', loginRequiredStrictly, adminRequired, async(req, res) => {
+  router.get('/', accessTokenParser([SCOPE.READ.ADMIN.MARKDOWN]), loginRequiredStrictly, adminRequired, async(req, res) => {
     const markdownParams = {
       isEnabledLinebreaks: await crowi.configManager.getConfig('markdown:isEnabledLinebreaks'),
       isEnabledLinebreaksInComments: await crowi.configManager.getConfig('markdown:isEnabledLinebreaksInComments'),
@@ -192,33 +192,33 @@ module.exports = (crowi) => {
    *                      type: object
    *                      $ref: '#/components/schemas/LineBreakParams'
    */
-  // TODO: 167279
-  router.put('/lineBreak', loginRequiredStrictly, adminRequired, addActivity, validator.lineBreak, apiV3FormValidator, async(req, res) => {
-
-    const requestLineBreakParams = {
-      'markdown:isEnabledLinebreaks': req.body.isEnabledLinebreaks,
-      'markdown:isEnabledLinebreaksInComments': req.body.isEnabledLinebreaksInComments,
-    };
+  router.put('/lineBreak', accessTokenParser([SCOPE.WRITE.ADMIN.MARKDOWN]),
+    loginRequiredStrictly, adminRequired, addActivity, validator.lineBreak, apiV3FormValidator, async(req, res) => {
 
-    try {
-      await configManager.updateConfigs(requestLineBreakParams);
-      const lineBreaksParams = {
-        isEnabledLinebreaks: await crowi.configManager.getConfig('markdown:isEnabledLinebreaks'),
-        isEnabledLinebreaksInComments: await crowi.configManager.getConfig('markdown:isEnabledLinebreaksInComments'),
+      const requestLineBreakParams = {
+        'markdown:isEnabledLinebreaks': req.body.isEnabledLinebreaks,
+        'markdown:isEnabledLinebreaksInComments': req.body.isEnabledLinebreaksInComments,
       };
 
-      const parameters = { action: SupportedAction.ACTION_ADMIN_MARKDOWN_LINE_BREAK_UPDATE };
-      activityEvent.emit('update', res.locals.activity._id, parameters);
+      try {
+        await configManager.updateConfigs(requestLineBreakParams);
+        const lineBreaksParams = {
+          isEnabledLinebreaks: await crowi.configManager.getConfig('markdown:isEnabledLinebreaks'),
+          isEnabledLinebreaksInComments: await crowi.configManager.getConfig('markdown:isEnabledLinebreaksInComments'),
+        };
 
-      return res.apiv3({ lineBreaksParams });
-    }
-    catch (err) {
-      const msg = 'Error occurred in updating lineBreak';
-      logger.error('Error', err);
-      return res.apiv3Err(new ErrorV3(msg, 'update-lineBreak-failed'));
-    }
+        const parameters = { action: SupportedAction.ACTION_ADMIN_MARKDOWN_LINE_BREAK_UPDATE };
+        activityEvent.emit('update', res.locals.activity._id, parameters);
 
-  });
+        return res.apiv3({ lineBreaksParams });
+      }
+      catch (err) {
+        const msg = 'Error occurred in updating lineBreak';
+        logger.error('Error', err);
+        return res.apiv3Err(new ErrorV3(msg, 'update-lineBreak-failed'));
+      }
+
+    });
 
   /**
    * @swagger
@@ -248,33 +248,33 @@ module.exports = (crowi) => {
    *                      description: indent params
    *                      $ref: '#/components/schemas/IndentParams'
    */
-  // TODO: 167279
-  router.put('/indent', loginRequiredStrictly, adminRequired, addActivity, validator.indent, apiV3FormValidator, async(req, res) => {
-
-    const requestIndentParams = {
-      'markdown:adminPreferredIndentSize': req.body.adminPreferredIndentSize,
-      'markdown:isIndentSizeForced': req.body.isIndentSizeForced,
-    };
+  router.put('/indent', accessTokenParser([SCOPE.WRITE.ADMIN.MARKDOWN]),
+    loginRequiredStrictly, adminRequired, addActivity, validator.indent, apiV3FormValidator, async(req, res) => {
 
-    try {
-      await configManager.updateConfigs(requestIndentParams);
-      const indentParams = {
-        adminPreferredIndentSize: await crowi.configManager.getConfig('markdown:adminPreferredIndentSize'),
-        isIndentSizeForced: await crowi.configManager.getConfig('markdown:isIndentSizeForced'),
+      const requestIndentParams = {
+        'markdown:adminPreferredIndentSize': req.body.adminPreferredIndentSize,
+        'markdown:isIndentSizeForced': req.body.isIndentSizeForced,
       };
 
-      const parameters = { action: SupportedAction.ACTION_ADMIN_MARKDOWN_INDENT_UPDATE };
-      activityEvent.emit('update', res.locals.activity._id, parameters);
+      try {
+        await configManager.updateConfigs(requestIndentParams);
+        const indentParams = {
+          adminPreferredIndentSize: await crowi.configManager.getConfig('markdown:adminPreferredIndentSize'),
+          isIndentSizeForced: await crowi.configManager.getConfig('markdown:isIndentSizeForced'),
+        };
 
-      return res.apiv3({ indentParams });
-    }
-    catch (err) {
-      const msg = 'Error occurred in updating indent';
-      logger.error('Error', err);
-      return res.apiv3Err(new ErrorV3(msg, 'update-indent-failed'));
-    }
+        const parameters = { action: SupportedAction.ACTION_ADMIN_MARKDOWN_INDENT_UPDATE };
+        activityEvent.emit('update', res.locals.activity._id, parameters);
 
-  });
+        return res.apiv3({ indentParams });
+      }
+      catch (err) {
+        const msg = 'Error occurred in updating indent';
+        logger.error('Error', err);
+        return res.apiv3Err(new ErrorV3(msg, 'update-indent-failed'));
+      }
+
+    });
 
   /**
    * @swagger
@@ -300,49 +300,49 @@ module.exports = (crowi) => {
    *                schema:
    *                  $ref: '#/components/schemas/XssParams'
    */
-  // TODO: 167279
-  router.put('/xss', loginRequiredStrictly, adminRequired, addActivity, validator.xssSetting, apiV3FormValidator, async(req, res) => {
-    if (req.body.isEnabledXss && req.body.xssOption == null) {
-      return res.apiv3Err(new ErrorV3('xss option is required'));
-    }
-
-    try {
-      JSON.parse(req.body.attrWhitelist);
-    }
-    catch (err) {
-      const msg = 'Error occurred in updating xss';
-      logger.error('Error', err);
-      return res.apiv3Err(new ErrorV3(msg, 'update-xss-failed'));
-    }
-
-    const reqestXssParams = {
-      'markdown:rehypeSanitize:isEnabledPrevention': req.body.isEnabledXss,
-      'markdown:rehypeSanitize:option': req.body.xssOption,
-      'markdown:rehypeSanitize:tagNames': req.body.tagWhitelist,
-      'markdown:rehypeSanitize:attributes': req.body.attrWhitelist,
-    };
-
-    try {
-      await configManager.updateConfigs(reqestXssParams);
-      const xssParams = {
-        isEnabledXss: await crowi.configManager.getConfig('markdown:rehypeSanitize:isEnabledPrevention'),
-        xssOption: await crowi.configManager.getConfig('markdown:rehypeSanitize:option'),
-        tagWhitelist: await crowi.configManager.getConfig('markdown:rehypeSanitize:tagNames'),
-        attrWhitelist: await crowi.configManager.getConfig('markdown:rehypeSanitize:attributes'),
+  router.put('/xss', accessTokenParser([SCOPE.WRITE.ADMIN.MARKDOWN]),
+    loginRequiredStrictly, adminRequired, addActivity, validator.xssSetting, apiV3FormValidator, async(req, res) => {
+      if (req.body.isEnabledXss && req.body.xssOption == null) {
+        return res.apiv3Err(new ErrorV3('xss option is required'));
+      }
+
+      try {
+        JSON.parse(req.body.attrWhitelist);
+      }
+      catch (err) {
+        const msg = 'Error occurred in updating xss';
+        logger.error('Error', err);
+        return res.apiv3Err(new ErrorV3(msg, 'update-xss-failed'));
+      }
+
+      const reqestXssParams = {
+        'markdown:rehypeSanitize:isEnabledPrevention': req.body.isEnabledXss,
+        'markdown:rehypeSanitize:option': req.body.xssOption,
+        'markdown:rehypeSanitize:tagNames': req.body.tagWhitelist,
+        'markdown:rehypeSanitize:attributes': req.body.attrWhitelist,
       };
 
-      const parameters = { action: SupportedAction.ACTION_ADMIN_MARKDOWN_XSS_UPDATE };
-      activityEvent.emit('update', res.locals.activity._id, parameters);
-
-      return res.apiv3({ xssParams });
-    }
-    catch (err) {
-      const msg = 'Error occurred in updating xss';
-      logger.error('Error', err);
-      return res.apiv3Err(new ErrorV3(msg, 'update-xss-failed'));
-    }
-
-  });
+      try {
+        await configManager.updateConfigs(reqestXssParams);
+        const xssParams = {
+          isEnabledXss: await crowi.configManager.getConfig('markdown:rehypeSanitize:isEnabledPrevention'),
+          xssOption: await crowi.configManager.getConfig('markdown:rehypeSanitize:option'),
+          tagWhitelist: await crowi.configManager.getConfig('markdown:rehypeSanitize:tagNames'),
+          attrWhitelist: await crowi.configManager.getConfig('markdown:rehypeSanitize:attributes'),
+        };
+
+        const parameters = { action: SupportedAction.ACTION_ADMIN_MARKDOWN_XSS_UPDATE };
+        activityEvent.emit('update', res.locals.activity._id, parameters);
+
+        return res.apiv3({ xssParams });
+      }
+      catch (err) {
+        const msg = 'Error occurred in updating xss';
+        logger.error('Error', err);
+        return res.apiv3Err(new ErrorV3(msg, 'update-xss-failed'));
+      }
+
+    });
 
   return router;
 };