Inicio Explorar Axuda
Iniciar sesión
wiki
/
weseek__growi
réplica de https://github.com/weseek/growi
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

Merge pull request #9087 from weseek/fix/147836-153724-the-issue-that-grant-of-page-can-be-changed-via-api-even-if-restricted

fix: The grant of pages can be changed via api even if restricted
mergify[bot] hai 1 ano
pai
e25be03827 2457c2980d
achega
42a65bde4c
Modificáronse 2 ficheiros con 11 adicións e 2 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 1 0
      apps/app/src/interfaces/apiv3/page.ts
  2. 10 2
      apps/app/src/server/routes/apiv3/page/update-page.ts

+ 1 - 0
apps/app/src/interfaces/apiv3/page.ts
Ver ficheiro 

@@ -42,4 +42,5 @@ export type IApiv3PageUpdateResponse = {
 
 
 export const PageUpdateErrorCode = {
 
   CONFLICT: 'conflict',
 
+  FORBIDDEN: 'forbidden',
 
 } as const;

+ 10 - 2
apps/app/src/server/routes/apiv3/page/update-page.ts
Ver ficheiro 

@@ -4,6 +4,7 @@ import type {
 
 } from '@growi/core';
 
 import { ErrorV3 } from '@growi/core/dist/models';
 
 import { serializeUserSecurely } from '@growi/core/dist/models/serializers';
 
+import { isTopPage, isUsersProtectedPages } from '@growi/core/dist/utils/page-path-utils';
 
 import type { Request, RequestHandler } from 'express';
 
 import type { ValidationChain } from 'express-validator';
 
 import { body } from 'express-validator';
 
@@ -27,6 +28,7 @@ import { apiV3FormValidator } from '../../../middlewares/apiv3-form-validator';
 
 import { excludeReadOnlyUser } from '../../../middlewares/exclude-read-only-user';
 
 import type { ApiV3Response } from '../interfaces/apiv3-response';
 
 
+
 
 const logger = loggerFactory('growi:routes:apiv3:page:update-page');
 
 
 
@@ -121,7 +123,7 @@ export const updatePageHandlersFactory: UpdatePageHandlersFactory = (crowi) => {
 
     validator, apiV3FormValidator,
 
     async(req: UpdatePageRequest, res: ApiV3Response) => {
 
       const {
 
-        pageId, revisionId, body, origin,
 
+        pageId, revisionId, body, origin, grant,
 
       } = req.body;
 
 
       const sanitizeRevisionId = revisionId == null ? undefined : generalXssFilter.process(revisionId);
 
@@ -139,6 +141,12 @@ export const updatePageHandlersFactory: UpdatePageHandlersFactory = (crowi) => {
 
         return res.apiv3Err(new ErrorV3(`Page('${pageId}' is not found or forbidden`, 'notfound_or_forbidden'), 400);
 
       }
 
 
+      const isGrantImmutable = isTopPage(currentPage.path) || isUsersProtectedPages(currentPage.path);
 
+
 
+      if (grant != null && grant !== currentPage.grant && isGrantImmutable) {
 
+        return res.apiv3Err(new ErrorV3('The grant settings for the specified page cannot be modified.', PageUpdateErrorCode.FORBIDDEN), 403);
 
+      }
 
+
 
       if (currentPage != null) {
 
         // Normalize the latest revision which was borken by the migration script '20211227060705-revision-path-to-page-id-schema-migration--fixed-7549.js'
 
         try {
 
@@ -164,7 +172,7 @@ export const updatePageHandlersFactory: UpdatePageHandlersFactory = (crowi) => {
 
       let previousRevision: IRevisionHasId | null;
 
       try {
 
         const {
 
-          grant, userRelatedGrantUserGroupIds, overwriteScopesOfDescendants, wip,
 
+          userRelatedGrantUserGroupIds, overwriteScopesOfDescendants, wip,
 
         } = req.body;
 
         const options: IOptionsForUpdate = { overwriteScopesOfDescendants, origin, wip };
 
         if (grant != null) {