agw/overleaf-cep
1
0
Fork 0
mirror of https://github.com/yu-i-i/overleaf-cep.git synced 2026-06-05 23:29:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7258 from overleaf/jpa-restrict-history-access

Browse Source 
[web] block restricted token users from accessing project history

GitOrigin-RevId: 18e6d58150be3846bc87e292108c1a09c553c9be
This commit is contained in:
Jakob Ackermann
2022-03-28 13:23:15 +01:00
committed by Copybot
parent f9b3526b03
commit 5f5b17c6e9
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
services/web/app/src/router.js
+6
View File
@@ -580,24 +580,28 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
)
webRouter.get(
'/project/:Project_id/updates',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi,
HistoryController.proxyToHistoryApiAndInjectUserDetails
)
webRouter.get(
'/project/:Project_id/doc/:doc_id/diff',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi,
HistoryController.proxyToHistoryApi
)
webRouter.get(
'/project/:Project_id/diff',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi,
HistoryController.proxyToHistoryApiAndInjectUserDetails
)
webRouter.get(
'/project/:Project_id/filetree/diff',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi,
HistoryController.proxyToHistoryApi
@@ -625,6 +629,7 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
maxRequests: 30,
timeInterval: 60 * 60,
}),
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.downloadZipOfVersion
)
@@ -636,6 +641,7 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
webRouter.get(
'/project/:Project_id/labels',
AuthorizationMiddleware.blockRestrictedUserFromProject,
AuthorizationMiddleware.ensureUserCanReadProject,
HistoryController.selectHistoryApi,
HistoryController.ensureProjectHistoryEnabled,