properly send a 404 error when an user requests an UI view on a scene he can't access

62e86620 · Sebastien DUMETZ · 4b370351 · 62e86620 · 62e86620
Commit 62e86620 authored 1 year ago by Sebastien DUMETZ
--- a/source/server/server.ts
+++ b/source/server/server.ts
@@ -8,7 +8,7 @@ import UserManager from "./auth/UserManager.js";
 import { BadRequestError, HTTPError } from "./utils/errors.js";
 import { mkdir } from "fs/promises";

-import {AppLocals, getHost, getUserManager} from "./utils/locals.js";
+import {AppLocals, canRead, canWrite, getHost, getUserManager, isUser} from "./utils/locals.js";

 import openDatabase from "./vfs/helpers/db.js";
 import Vfs from "./vfs/index.js";
@@ -106,6 +106,8 @@ export default async function createServer(config = defaultConfig) :Promise<expr
    next();
  });
  
+  app.use("/ui/scenes/:scene/", canRead);
+
  app.get("/ui/scenes/:scene/view", (req, res)=>{
    let {scene} = req.params;
    let {lang} = req.query;
@@ -122,7 +124,7 @@ export default async function createServer(config = defaultConfig) :Promise<expr
    });
  });

-  app.get("/ui/scenes/:scene/edit",(req, res)=>{
+  app.get("/ui/scenes/:scene/edit", canWrite, (req, res)=>{
    let {scene} = req.params;
    let {lang} = req.query;
    let host = getHost(req);

--- a/source/server/templates/error.hbs
+++ b/source/server/templates/error.hbs
@@ -41,5 +41,4 @@
    padding: 1ch;
  }
 </style>
-
-<script src="/js/corpus.js"></script>
\ No newline at end of file
+<script src="/dist/js/corpus.js"></script>
\ No newline at end of file