fix: add missing route guards to issues pages (#2235)

* fix: users should always be able to view their own issues * fix: apply route guards to issues pages instead * fix(api): only allow users w/ issue perms to edit comments / delete issues
3 years ago · c79dc9f70f
parent 3ec4a9c76e
commit c79dc9f70f
4 changed files with 74 additions and 27 deletions
--- a/server/routes/issue.ts
+++ b/server/routes/issue.ts
@ -68,7 +68,7 @@ issueRoutes.get<Record<string, string>, IssueResultsResponse>(
        return next({
          status: 403,
          message:
-            'You do not have permission to view issues created by other users',
+            'You do not have permission to view issues reported by other users',
        });
      }
      query = query.andWhere('createdBy.id = :id', { id: req.user?.id });
@ -291,35 +291,41 @@ issueRoutes.post<{ issueId: string; status: string }, Issue>(
  }
 );
-issueRoutes.delete('/:issueId', async (req, res, next) => {
+issueRoutes.delete(
-  const issueRepository = getRepository(Issue);
+  '/:issueId',
-
+  isAuthenticated([Permission.MANAGE_ISSUES, Permission.CREATE_ISSUES], {
-  try {
+    type: 'or',
-    const issue = await issueRepository.findOneOrFail({
+  }),
-      where: { id: Number(req.params.issueId) },
+  async (req, res, next) => {
-      relations: ['createdBy'],
+    const issueRepository = getRepository(Issue);
    });
-    if (
+    try {
-      !req.user?.hasPermission(Permission.MANAGE_ISSUES) &&
+      const issue = await issueRepository.findOneOrFail({
-      (issue.createdBy.id !== req.user?.id || issue.comments.length > 1)
+        where: { id: Number(req.params.issueId) },
-    ) {
+        relations: ['createdBy'],
      return next({
        status: 401,
        message: 'You do not have permission to delete this issue.',
      });
    }
-    await issueRepository.remove(issue);
+      if (
        !req.user?.hasPermission(Permission.MANAGE_ISSUES) &&
        (issue.createdBy.id !== req.user?.id || issue.comments.length > 1)
      ) {
        return next({
          status: 401,
          message: 'You do not have permission to delete this issue.',
        });
      }
-    return res.status(204).send();
+      await issueRepository.remove(issue);
-  } catch (e) {
+
-    logger.error('Something went wrong deleting an issue.', {
+      return res.status(204).send();
-      label: 'API',
+    } catch (e) {
-      errorMessage: e.message,
+      logger.error('Something went wrong deleting an issue.', {
-    });
+        label: 'API',
-    next({ status: 404, message: 'Issue not found.' });
+        errorMessage: e.message,
      });
      next({ status: 404, message: 'Issue not found.' });
    }
  }
-});
+);
 export default issueRoutes;
--- a/server/routes/request.ts
+++ b/server/routes/request.ts
@ -500,9 +500,26 @@ requestRoutes.get('/:requestId', async (req, res, next) => {
      relations: ['requestedBy', 'modifiedBy'],
    });
    if (
      request.requestedBy.id !== req.user?.id &&
      !req.user?.hasPermission(
        [Permission.MANAGE_REQUESTS, Permission.REQUEST_VIEW],
        { type: 'or' }
      )
    ) {
      return next({
        status: 403,
        message: 'You do not have permission to view this request.',
      });
    }
    return res.status(200).json(request);
  } catch (e) {
-    next({ status: 404, message: 'Request not found' });
+    logger.debug('Failed to retrieve request.', {
      label: 'API',
      errorMessage: e.message,
    });
    next({ status: 404, message: 'Request not found.' });
  }
 });
--- a/src/pages/issues/[issueId]/index.tsx
+++ b/src/pages/issues/[issueId]/index.tsx
@ -1,8 +1,20 @@
 import { NextPage } from 'next';
 import React from 'react';
 import IssueDetails from '../../../components/IssueDetails';
 import useRouteGuard from '../../../hooks/useRouteGuard';
 import { Permission } from '../../../hooks/useUser';
 const IssuePage: NextPage = () => {
  useRouteGuard(
    [
      Permission.MANAGE_ISSUES,
      Permission.CREATE_ISSUES,
      Permission.VIEW_ISSUES,
    ],
    {
      type: 'or',
    }
  );
  return <IssueDetails />;
 };
--- a/src/pages/issues/index.tsx
+++ b/src/pages/issues/index.tsx
@ -1,8 +1,20 @@
 import { NextPage } from 'next';
 import React from 'react';
 import IssueList from '../../components/IssueList';
 import useRouteGuard from '../../hooks/useRouteGuard';
 import { Permission } from '../../hooks/useUser';
 const IssuePage: NextPage = () => {
  useRouteGuard(
    [
      Permission.MANAGE_ISSUES,
      Permission.CREATE_ISSUES,
      Permission.VIEW_ISSUES,
    ],
    {
      type: 'or',
    }
  );
  return <IssueList />;
 };