Home Explore Help
Sign In
wiki
/
weseek__growi
mirror of https://github.com/weseek/growi
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

fix(news): use READ scope for the admin delivery-setting GET endpoint

The GET handler only reads `news:isDeliveryEnabled` via configManager,
so requiring `SCOPE.WRITE.ADMIN.APP` was over-permissive and
inconsistent with the wider convention (e.g. `app-settings/index.ts`
GET uses `SCOPE.READ.ADMIN.APP`, PUT/POST use the WRITE counterpart).
Switch the GET to `SCOPE.READ.ADMIN.APP`; the POST handler keeps
`SCOPE.WRITE.ADMIN.APP`.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Ryotaro Nagahara 1 week ago
parent
df383c1a44
commit
7011e88ede
1 changed files with 1 additions and 1 deletions
Split View Show Diff Stats
  1. 1 1
      apps/app/src/features/news/server/routes/news.ts

+ 1 - 1
apps/app/src/features/news/server/routes/news.ts
View File 

@@ -192,7 +192,7 @@ export const createNewsRouter = (crowi?: Crowi): express.Router => {
 
    */
 
   router.get(
 
     '/admin/delivery-setting',
 
-    accessTokenParser([SCOPE.WRITE.ADMIN.APP]),
 
+    accessTokenParser([SCOPE.READ.ADMIN.APP]),
 
     loginRequiredStrictly,
 
     adminRequired,
 
     (_req, res) => {