Merge pull request #10062 from weseek/imprv/167279-add-scopes-to-endpoints-where-accesstokenparser-has-no-scopes-configured

imprv: Add scopes to endpoints where accesstokenparser has no scopes configured (2)

apps/app/src/features/external-user-group/server/routes/apiv3/external-user-group.ts

@@ -1,4 +1,5 @@
 import { GroupType } from '@growi/core';
+import { SCOPE } from '@growi/core/dist/interfaces';
 import { ErrorV3 } from '@growi/core/dist/models';
 import type { Request } from 'express';
 import { Router } from 'express';
@@ -9,7 +10,6 @@ import {
 import ExternalUserGroup from '~/features/external-user-group/server/models/external-user-group';
 import ExternalUserGroupRelation from '~/features/external-user-group/server/models/external-user-group-relation';
 import { SupportedAction } from '~/interfaces/activity';
-import { SCOPE } from '@growi/core/dist/interfaces';
 import type { PageActionOnGroupDelete } from '~/interfaces/user-group';
 import type Crowi from '~/server/crowi';
 import { accessTokenParser } from '~/server/middlewares/access-token-parser';
@@ -474,9 +474,8 @@ module.exports = (crowi: Crowi): Router => {
    *                       items:
    *                         type: object
    */
-  // TODO: add accessTokenParser([SCOPE.READ.ADMIN.USER_GROUP_MANAGEMENT]) before loginRequiredStrictly
-  router.get('/:id/external-user-group-relations', loginRequiredStrictly, adminRequired,
-    async(req, res: ApiV3Response) => {
+  router.get('/:id/external-user-group-relations', accessTokenParser([SCOPE.READ.ADMIN.USER_GROUP_MANAGEMENT]), loginRequiredStrictly, adminRequired,
+    async(req: Request<{id: string}, Response, undefined>, res: ApiV3Response) => {
       const { id } = req.params;
 
       try {

apps/app/src/server/routes/apiv3/markdown-setting.js

@@ -1,13 +1,14 @@
+import { SCOPE } from '@growi/core/dist/interfaces';
 import { ErrorV3 } from '@growi/core/dist/models';
 
 import { SupportedAction } from '~/interfaces/activity';
+import { accessTokenParser } from '~/server/middlewares/access-token-parser';
 import { configManager } from '~/server/service/config-manager';
 import loggerFactory from '~/utils/logger';
 
 import { generateAddActivityMiddleware } from '../../middlewares/add-activity';
 import { apiV3FormValidator } from '../../middlewares/apiv3-form-validator';
 
-
 const logger = loggerFactory('growi:routes:apiv3:markdown-setting');
 
 const express = require('express');
@@ -149,7 +150,7 @@ module.exports = (crowi) => {
    *                      description: markdown params
    *                      $ref: '#/components/schemas/MarkdownParams'
    */
-  router.get('/', loginRequiredStrictly, adminRequired, async(req, res) => {
+  router.get('/', accessTokenParser([SCOPE.READ.ADMIN.MARKDOWN]), loginRequiredStrictly, adminRequired, async(req, res) => {
     const markdownParams = {
       isEnabledLinebreaks: await crowi.configManager.getConfig('markdown:isEnabledLinebreaks'),
       isEnabledLinebreaksInComments: await crowi.configManager.getConfig('markdown:isEnabledLinebreaksInComments'),
@@ -191,32 +192,33 @@ module.exports = (crowi) => {
    *                      type: object
    *                      $ref: '#/components/schemas/LineBreakParams'
    */
-  router.put('/lineBreak', loginRequiredStrictly, adminRequired, addActivity, validator.lineBreak, apiV3FormValidator, async(req, res) => {
-
-    const requestLineBreakParams = {
-      'markdown:isEnabledLinebreaks': req.body.isEnabledLinebreaks,
-      'markdown:isEnabledLinebreaksInComments': req.body.isEnabledLinebreaksInComments,
-    };
+  router.put('/lineBreak', accessTokenParser([SCOPE.WRITE.ADMIN.MARKDOWN]),
+    loginRequiredStrictly, adminRequired, addActivity, validator.lineBreak, apiV3FormValidator, async(req, res) => {
 
-    try {
-      await configManager.updateConfigs(requestLineBreakParams);
-      const lineBreaksParams = {
-        isEnabledLinebreaks: await crowi.configManager.getConfig('markdown:isEnabledLinebreaks'),
-        isEnabledLinebreaksInComments: await crowi.configManager.getConfig('markdown:isEnabledLinebreaksInComments'),
+      const requestLineBreakParams = {
+        'markdown:isEnabledLinebreaks': req.body.isEnabledLinebreaks,
+        'markdown:isEnabledLinebreaksInComments': req.body.isEnabledLinebreaksInComments,
       };
 
-      const parameters = { action: SupportedAction.ACTION_ADMIN_MARKDOWN_LINE_BREAK_UPDATE };
-      activityEvent.emit('update', res.locals.activity._id, parameters);
+      try {
+        await configManager.updateConfigs(requestLineBreakParams);
+        const lineBreaksParams = {
+          isEnabledLinebreaks: await crowi.configManager.getConfig('markdown:isEnabledLinebreaks'),
+          isEnabledLinebreaksInComments: await crowi.configManager.getConfig('markdown:isEnabledLinebreaksInComments'),
+        };
 
-      return res.apiv3({ lineBreaksParams });
-    }
-    catch (err) {
-      const msg = 'Error occurred in updating lineBreak';
-      logger.error('Error', err);
-      return res.apiv3Err(new ErrorV3(msg, 'update-lineBreak-failed'));
-    }
+        const parameters = { action: SupportedAction.ACTION_ADMIN_MARKDOWN_LINE_BREAK_UPDATE };
+        activityEvent.emit('update', res.locals.activity._id, parameters);
 
-  });
+        return res.apiv3({ lineBreaksParams });
+      }
+      catch (err) {
+        const msg = 'Error occurred in updating lineBreak';
+        logger.error('Error', err);
+        return res.apiv3Err(new ErrorV3(msg, 'update-lineBreak-failed'));
+      }
+
+    });
 
   /**
    * @swagger
@@ -246,32 +248,33 @@ module.exports = (crowi) => {
    *                      description: indent params
    *                      $ref: '#/components/schemas/IndentParams'
    */
-  router.put('/indent', loginRequiredStrictly, adminRequired, addActivity, validator.indent, apiV3FormValidator, async(req, res) => {
-
-    const requestIndentParams = {
-      'markdown:adminPreferredIndentSize': req.body.adminPreferredIndentSize,
-      'markdown:isIndentSizeForced': req.body.isIndentSizeForced,
-    };
+  router.put('/indent', accessTokenParser([SCOPE.WRITE.ADMIN.MARKDOWN]),
+    loginRequiredStrictly, adminRequired, addActivity, validator.indent, apiV3FormValidator, async(req, res) => {
 
-    try {
-      await configManager.updateConfigs(requestIndentParams);
-      const indentParams = {
-        adminPreferredIndentSize: await crowi.configManager.getConfig('markdown:adminPreferredIndentSize'),
-        isIndentSizeForced: await crowi.configManager.getConfig('markdown:isIndentSizeForced'),
+      const requestIndentParams = {
+        'markdown:adminPreferredIndentSize': req.body.adminPreferredIndentSize,
+        'markdown:isIndentSizeForced': req.body.isIndentSizeForced,
       };
 
-      const parameters = { action: SupportedAction.ACTION_ADMIN_MARKDOWN_INDENT_UPDATE };
-      activityEvent.emit('update', res.locals.activity._id, parameters);
+      try {
+        await configManager.updateConfigs(requestIndentParams);
+        const indentParams = {
+          adminPreferredIndentSize: await crowi.configManager.getConfig('markdown:adminPreferredIndentSize'),
+          isIndentSizeForced: await crowi.configManager.getConfig('markdown:isIndentSizeForced'),
+        };
 
-      return res.apiv3({ indentParams });
-    }
-    catch (err) {
-      const msg = 'Error occurred in updating indent';
-      logger.error('Error', err);
-      return res.apiv3Err(new ErrorV3(msg, 'update-indent-failed'));
-    }
+        const parameters = { action: SupportedAction.ACTION_ADMIN_MARKDOWN_INDENT_UPDATE };
+        activityEvent.emit('update', res.locals.activity._id, parameters);
 
-  });
+        return res.apiv3({ indentParams });
+      }
+      catch (err) {
+        const msg = 'Error occurred in updating indent';
+        logger.error('Error', err);
+        return res.apiv3Err(new ErrorV3(msg, 'update-indent-failed'));
+      }
+
+    });
 
   /**
    * @swagger
@@ -297,48 +300,49 @@ module.exports = (crowi) => {
    *                schema:
    *                  $ref: '#/components/schemas/XssParams'
    */
-  router.put('/xss', loginRequiredStrictly, adminRequired, addActivity, validator.xssSetting, apiV3FormValidator, async(req, res) => {
-    if (req.body.isEnabledXss && req.body.xssOption == null) {
-      return res.apiv3Err(new ErrorV3('xss option is required'));
-    }
-
-    try {
-      JSON.parse(req.body.attrWhitelist);
-    }
-    catch (err) {
-      const msg = 'Error occurred in updating xss';
-      logger.error('Error', err);
-      return res.apiv3Err(new ErrorV3(msg, 'update-xss-failed'));
-    }
-
-    const reqestXssParams = {
-      'markdown:rehypeSanitize:isEnabledPrevention': req.body.isEnabledXss,
-      'markdown:rehypeSanitize:option': req.body.xssOption,
-      'markdown:rehypeSanitize:tagNames': req.body.tagWhitelist,
-      'markdown:rehypeSanitize:attributes': req.body.attrWhitelist,
-    };
-
-    try {
-      await configManager.updateConfigs(reqestXssParams);
-      const xssParams = {
-        isEnabledXss: await crowi.configManager.getConfig('markdown:rehypeSanitize:isEnabledPrevention'),
-        xssOption: await crowi.configManager.getConfig('markdown:rehypeSanitize:option'),
-        tagWhitelist: await crowi.configManager.getConfig('markdown:rehypeSanitize:tagNames'),
-        attrWhitelist: await crowi.configManager.getConfig('markdown:rehypeSanitize:attributes'),
+  router.put('/xss', accessTokenParser([SCOPE.WRITE.ADMIN.MARKDOWN]),
+    loginRequiredStrictly, adminRequired, addActivity, validator.xssSetting, apiV3FormValidator, async(req, res) => {
+      if (req.body.isEnabledXss && req.body.xssOption == null) {
+        return res.apiv3Err(new ErrorV3('xss option is required'));
+      }
+
+      try {
+        JSON.parse(req.body.attrWhitelist);
+      }
+      catch (err) {
+        const msg = 'Error occurred in updating xss';
+        logger.error('Error', err);
+        return res.apiv3Err(new ErrorV3(msg, 'update-xss-failed'));
+      }
+
+      const reqestXssParams = {
+        'markdown:rehypeSanitize:isEnabledPrevention': req.body.isEnabledXss,
+        'markdown:rehypeSanitize:option': req.body.xssOption,
+        'markdown:rehypeSanitize:tagNames': req.body.tagWhitelist,
+        'markdown:rehypeSanitize:attributes': req.body.attrWhitelist,
       };
 
-      const parameters = { action: SupportedAction.ACTION_ADMIN_MARKDOWN_XSS_UPDATE };
-      activityEvent.emit('update', res.locals.activity._id, parameters);
-
-      return res.apiv3({ xssParams });
-    }
-    catch (err) {
-      const msg = 'Error occurred in updating xss';
-      logger.error('Error', err);
-      return res.apiv3Err(new ErrorV3(msg, 'update-xss-failed'));
-    }
-
-  });
+      try {
+        await configManager.updateConfigs(reqestXssParams);
+        const xssParams = {
+          isEnabledXss: await crowi.configManager.getConfig('markdown:rehypeSanitize:isEnabledPrevention'),
+          xssOption: await crowi.configManager.getConfig('markdown:rehypeSanitize:option'),
+          tagWhitelist: await crowi.configManager.getConfig('markdown:rehypeSanitize:tagNames'),
+          attrWhitelist: await crowi.configManager.getConfig('markdown:rehypeSanitize:attributes'),
+        };
+
+        const parameters = { action: SupportedAction.ACTION_ADMIN_MARKDOWN_XSS_UPDATE };
+        activityEvent.emit('update', res.locals.activity._id, parameters);
+
+        return res.apiv3({ xssParams });
+      }
+      catch (err) {
+        const msg = 'Error occurred in updating xss';
+        logger.error('Error', err);
+        return res.apiv3Err(new ErrorV3(msg, 'update-xss-failed'));
+      }
+
+    });
 
   return router;
 };

apps/app/src/server/routes/apiv3/mongo.js

@@ -1,3 +1,6 @@
+import { SCOPE } from '@growi/core/dist/interfaces';
+
+import { accessTokenParser } from '~/server/middlewares/access-token-parser';
 import loggerFactory from '~/utils/logger';
 
 const logger = loggerFactory('growi:routes:apiv3:mongo'); // eslint-disable-line no-unused-vars
@@ -35,7 +38,7 @@ module.exports = (crowi) => {
    *                    items:
    *                      type: string
    */
-  router.get('/collections', loginRequiredStrictly, adminRequired, async(req, res) => {
+  router.get('/collections', accessTokenParser([SCOPE.READ.ADMIN.EXPORT_DATA]), loginRequiredStrictly, adminRequired, async(req, res) => {
     const listCollectionsResult = await mongoose.connection.db.listCollections().toArray();
     const collections = listCollectionsResult.map(collectionObj => collectionObj.name);
 

apps/app/src/server/routes/apiv3/personal-setting/generate-access-token.ts

@@ -79,7 +79,6 @@ export const generateAccessTokenHandlerFactory: GenerateAccessTokenHandlerFactor
   const activityEvent = crowi.event('activity');
   const addActivity = generateAddActivityMiddleware();
 
-
   return [
     loginRequiredStrictly,
     excludeReadOnlyUser,

apps/app/src/server/routes/index.js

@@ -1,8 +1,8 @@
+import { SCOPE } from '@growi/core/dist/interfaces';
 import csrf from 'csurf';
 import express from 'express';
 
 import { middlewareFactory as rateLimiterFactory } from '~/features/rate-limiter';
-import { SCOPE } from '@growi/core/dist/interfaces';
 
 import { accessTokenParser } from '../middlewares/access-token-parser';
 import { generateAddActivityMiddleware } from '../middlewares/add-activity';
@@ -101,7 +101,7 @@ module.exports = function(crowi, app) {
   app.get('/passport/oidc/callback'               , loginPassport.injectRedirectTo, loginPassport.loginPassportOidcCallback     , loginPassport.loginFailureForExternalAccount);
   app.post('/passport/saml/callback'              , addActivity, loginPassport.injectRedirectTo, loginPassport.loginPassportSamlCallback, loginPassport.loginFailureForExternalAccount);
 
-  app.post('/_api/login/testLdap'    , loginRequiredStrictly , loginFormValidator.loginRules() , loginFormValidator.loginValidation , loginPassport.testLdapCredentials);
+  app.post('/_api/login/testLdap'    ,  accessTokenParser([SCOPE.WRITE.USER_SETTINGS.EXTERNAL_ACCOUNT]), loginRequiredStrictly , loginFormValidator.loginRules() , loginFormValidator.loginValidation , loginPassport.testLdapCredentials);
 
   // importer management for admin
   app.post('/_api/admin/settings/importerEsa'   , accessTokenParser([SCOPE.WRITE.ADMIN.IMPORT_DATA]), loginRequiredStrictly , adminRequired , csrfProtection, addActivity, admin.importer.api.validators.importer.esa(),admin.api.importerSettingEsa);
@@ -149,13 +149,13 @@ module.exports = function(crowi, app) {
 
   app.use(unavailableWhenMaintenanceMode);
 
-  app.get('/me'                                   , accessTokenParser([SCOPE.READ.USER_SETTINGS.INFO]), loginRequiredStrictly, next.delegateToNext);
-  app.get('/me/*'                                 , accessTokenParser([SCOPE.READ.USER_SETTINGS.INFO]), loginRequiredStrictly, next.delegateToNext);
+  app.get('/me'                                   , loginRequiredStrictly, next.delegateToNext);
+  app.get('/me/*'                                 , loginRequiredStrictly, next.delegateToNext);
 
   app.use('/attachment', accessTokenParser([SCOPE.READ.FEATURES.ATTACHMENT]), attachment.getRouterFactory(crowi));
   app.use('/download', accessTokenParser([SCOPE.READ.FEATURES.ATTACHMENT]), attachment.downloadRouterFactory(crowi));
 
-  app.get('/_search'                            , accessTokenParser([SCOPE.READ.FEATURES.PAGE]), loginRequired, next.delegateToNext);
+  app.get('/_search'                              , loginRequired, next.delegateToNext);
 
   app.use('/forgot-password', express.Router()
     .use(forgotPassword.checkForgotPasswordEnabledMiddlewareFactory(crowi))
@@ -174,7 +174,7 @@ module.exports = function(crowi, app) {
 
   app.use('/ogp', express.Router().get('/:pageId([0-9a-z]{0,})', loginRequired, ogp.pageIdRequired, ogp.ogpValidator, ogp.renderOgp));
 
-  app.get('/*/$'                   , accessTokenParser([SCOPE.READ.FEATURES.PAGE]), loginRequired, next.delegateToNext);
-  app.get('/*'                     , accessTokenParser([SCOPE.READ.FEATURES.PAGE]), loginRequired, autoReconnectToSearch, next.delegateToNext);
+  app.get('/*/$'                   , loginRequired, next.delegateToNext);
+  app.get('/*'                     , loginRequired, autoReconnectToSearch, next.delegateToNext);
 
 };