From 5f5b17c6e9f49c3ecf7a88e9ba49f68b22d694da Mon Sep 17 00:00:00 2001 From: Jakob Ackermann Date: Mon, 28 Mar 2022 13:23:15 +0100 Subject: [PATCH] Merge pull request #7258 from overleaf/jpa-restrict-history-access [web] block restricted token users from accessing project history GitOrigin-RevId: 18e6d58150be3846bc87e292108c1a09c553c9be --- services/web/app/src/router.js | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/services/web/app/src/router.js b/services/web/app/src/router.js index 75c78cc0db..8abe75a243 100644 --- a/services/web/app/src/router.js +++ b/services/web/app/src/router.js @@ -580,24 +580,28 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) { ) webRouter.get( '/project/:Project_id/updates', + AuthorizationMiddleware.blockRestrictedUserFromProject, AuthorizationMiddleware.ensureUserCanReadProject, HistoryController.selectHistoryApi, HistoryController.proxyToHistoryApiAndInjectUserDetails ) webRouter.get( '/project/:Project_id/doc/:doc_id/diff', + AuthorizationMiddleware.blockRestrictedUserFromProject, AuthorizationMiddleware.ensureUserCanReadProject, HistoryController.selectHistoryApi, HistoryController.proxyToHistoryApi ) webRouter.get( '/project/:Project_id/diff', + AuthorizationMiddleware.blockRestrictedUserFromProject, AuthorizationMiddleware.ensureUserCanReadProject, HistoryController.selectHistoryApi, HistoryController.proxyToHistoryApiAndInjectUserDetails ) webRouter.get( '/project/:Project_id/filetree/diff', + AuthorizationMiddleware.blockRestrictedUserFromProject, AuthorizationMiddleware.ensureUserCanReadProject, HistoryController.selectHistoryApi, HistoryController.proxyToHistoryApi @@ -625,6 +629,7 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) { maxRequests: 30, timeInterval: 60 * 60, }), + AuthorizationMiddleware.blockRestrictedUserFromProject, AuthorizationMiddleware.ensureUserCanReadProject, HistoryController.downloadZipOfVersion ) @@ -636,6 +641,7 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) { webRouter.get( '/project/:Project_id/labels', + AuthorizationMiddleware.blockRestrictedUserFromProject, AuthorizationMiddleware.ensureUserCanReadProject, HistoryController.selectHistoryApi, HistoryController.ensureProjectHistoryEnabled,