Skip to content

Commit

Permalink
Call to local admin routes should be checked in Gladys Plus as well
Browse files Browse the repository at this point in the history
  • Loading branch information
@Pierre-Gilles
Pierre-Gilles committed Jan 23, 2025
1 parent 68db725 commit d56acc1
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions server/api/setupGateway.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ const { pathToRegexp } = require('path-to-regexp');

const nodeUrl = require('url');
const errorMiddleware = require('./middlewares/errorMiddleware');
const { EVENTS } = require('../utils/constants');
const { NotFoundError } = require('../utils/coreErrors');
const { USER_ROLE, EVENTS } = require('../utils/constants');
const { NotFoundError, ForbiddenError } = require('../utils/coreErrors');

/**
* @description Setup Gateway API calls.
Expand All @@ -23,6 +23,7 @@ function setupGateway(gladys, routes) {
method,
keys,
regex: pathToRegexp(path, keys),
admin: routes[routeKey].admin,
controller: routes[routeKey].controller,
};
});
Expand Down Expand Up @@ -58,6 +59,11 @@ function setupGateway(gladys, routes) {
regexes[i - 1].keys.forEach((key, index) => {
req.params[key.name] = results[index + 1];
});
if (regexes[i - 1].admin) {
if (user.role !== USER_ROLE.ADMIN) {
errorMiddleware(new ForbiddenError('This route is only accessible to admin user.'), req, res);

Check warning on line 64 in server/api/setupGateway.js

View check run for this annotation

Codecov / codecov/patch

server/api/setupGateway.js#L63-L64 

Added lines #L63 - L64 were not covered by tests
}
}
// and we call the controller
regexes[i - 1].controller(req, res, (e) => {
errorMiddleware(e, req, res);
Expand Down

0 comments on commit d56acc1

Please sign in to comment.