YourSelfHosted/memos
1
0
Fork 0
mirror of https://github.com/usememos/memos.git synced 2025-06-05 22:09:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

chore: prevent visitors from breaking demo (#2869)

Browse Source 
* chore: add en-GB language

* chore: remove en-GB contents

* chore: prevent visitors from breaking demo
- prevent disabling password login
- prevent updating `memos-demo` user
- prevent setting additional style
- prevent setting additional script
- add some error feedback to system settings UI

* Revert "chore: add en-GB language"

This reverts commit 2716377b04.
This commit is contained in:
Lincoln Nogueira
2024-01-31 02:16:31 -03:00
committed by GitHub
parent 49e3eb107c
commit 52539fc130
5 changed files with 43 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
api/v1/system_setting.go
View File

@ -159,6 +159,16 @@ func (s *APIV1Service) CreateSystemSetting(c echo.Context) error {
if err := systemSettingUpsert.Validate(); err != nil { if err := systemSettingUpsert.Validate(); err != nil {
return echo.NewHTTPError(http.StatusBadRequest, "invalid system setting").SetInternal(err) return echo.NewHTTPError(http.StatusBadRequest, "invalid system setting").SetInternal(err)
} }
if s.Profile.Mode == "demo" {
switch systemSettingUpsert.Name {
case SystemSettingAdditionalStyleName:
return echo.NewHTTPError(http.StatusForbidden, "additional style is not allowed in demo mode")
case SystemSettingAdditionalScriptName:
return echo.NewHTTPError(http.StatusForbidden, "additional script is not allowed in demo mode")
case SystemSettingDisablePasswordLoginName:
return echo.NewHTTPError(http.StatusForbidden, "disabling password login is not allowed in demo mode")
}
}
if systemSettingUpsert.Name == SystemSettingDisablePasswordLoginName { if systemSettingUpsert.Name == SystemSettingDisablePasswordLoginName {
var disablePasswordLogin bool var disablePasswordLogin bool
if err := json.Unmarshal([]byte(systemSettingUpsert.Value), &disablePasswordLogin); err != nil { if err := json.Unmarshal([]byte(systemSettingUpsert.Value), &disablePasswordLogin); err != nil {

12
api/v1/user.go
View File

@ -316,6 +316,14 @@ func (s *APIV1Service) DeleteUser(c echo.Context) error {
return echo.NewHTTPError(http.StatusBadRequest, "Cannot delete current user") return echo.NewHTTPError(http.StatusBadRequest, "Cannot delete current user")
} }
findUser, err := s.Store.GetUser(ctx, &store.FindUser{ID: &userID})
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
}
if s.Profile.Mode == "demo" && findUser.Username == "memos-demo" {
return echo.NewHTTPError(http.StatusForbidden, "Unauthorized to delete this user in demo mode")
}
if err := s.Store.DeleteUser(ctx, &store.DeleteUser{ if err := s.Store.DeleteUser(ctx, &store.DeleteUser{
ID: userID, ID: userID,
}); err != nil { }); err != nil {
@ -366,6 +374,10 @@ func (s *APIV1Service) UpdateUser(c echo.Context) error {
return echo.NewHTTPError(http.StatusBadRequest, "Invalid update user request").SetInternal(err) return echo.NewHTTPError(http.StatusBadRequest, "Invalid update user request").SetInternal(err)
} }
if s.Profile.Mode == "demo" && *request.Username == "memos-demo" {
return echo.NewHTTPError(http.StatusForbidden, "Unauthorized to update user in demo mode")
}
currentTs := time.Now().Unix() currentTs := time.Now().Unix()
userUpdate := &store.UpdateUser{ userUpdate := &store.UpdateUser{
ID: userID, ID: userID,

8
api/v2/user_service.go
View File

@ -130,6 +130,10 @@ func (s *APIV2Service) UpdateUser(ctx context.Context, request *apiv2pb.UpdateUs
return nil, status.Errorf(codes.NotFound, "user not found") return nil, status.Errorf(codes.NotFound, "user not found")
} }
if s.Profile.Mode == "demo" && user.Username == "memos-demo" {
return nil, status.Errorf(codes.PermissionDenied, "unauthorized to update user in demo mode")
}
currentTs := time.Now().Unix() currentTs := time.Now().Unix()
update := &store.UpdateUser{ update := &store.UpdateUser{
ID: user.ID, ID: user.ID,
@ -197,6 +201,10 @@ func (s *APIV2Service) DeleteUser(ctx context.Context, request *apiv2pb.DeleteUs
return nil, status.Errorf(codes.NotFound, "user not found") return nil, status.Errorf(codes.NotFound, "user not found")
} }
if s.Profile.Mode == "demo" && user.Username == "memos-demo" {
return nil, status.Errorf(codes.PermissionDenied, "unauthorized to delete this user in demo mode")
}
if err := s.Store.DeleteUser(ctx, &store.DeleteUser{ if err := s.Store.DeleteUser(ctx, &store.DeleteUser{
ID: user.ID, ID: user.ID,
}); err != nil { }); err != nil {

9
api/v2/workspace_service.go
View File

@ -45,6 +45,9 @@ func (s *APIV2Service) UpdateWorkspaceProfile(ctx context.Context, request *apiv
return nil, status.Errorf(codes.Internal, "failed to update allow_registration system setting: %v", err) return nil, status.Errorf(codes.Internal, "failed to update allow_registration system setting: %v", err)
} }
} else if field == "disable_password_login" { } else if field == "disable_password_login" {
if s.Profile.Mode == "demo" {
return nil, status.Errorf(codes.PermissionDenied, "disabling password login is not allowed in demo mode")
}
_, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{ _, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
Name: "disable-password-login", Name: "disable-password-login",
Value: strconv.FormatBool(request.WorkspaceProfile.DisablePasswordLogin), Value: strconv.FormatBool(request.WorkspaceProfile.DisablePasswordLogin),
@ -53,6 +56,9 @@ func (s *APIV2Service) UpdateWorkspaceProfile(ctx context.Context, request *apiv
return nil, status.Errorf(codes.Internal, "failed to update disable_password_login system setting: %v", err) return nil, status.Errorf(codes.Internal, "failed to update disable_password_login system setting: %v", err)
} }
} else if field == "additional_script" { } else if field == "additional_script" {
if s.Profile.Mode == "demo" {
return nil, status.Errorf(codes.PermissionDenied, "additional script is not allowed in demo mode")
}
_, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{ _, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
Name: "additional-script", Name: "additional-script",
Value: request.WorkspaceProfile.AdditionalScript, Value: request.WorkspaceProfile.AdditionalScript,
@ -61,6 +67,9 @@ func (s *APIV2Service) UpdateWorkspaceProfile(ctx context.Context, request *apiv
return nil, status.Errorf(codes.Internal, "failed to update additional_script system setting: %v", err) return nil, status.Errorf(codes.Internal, "failed to update additional_script system setting: %v", err)
} }
} else if field == "additional_style" { } else if field == "additional_style" {
if s.Profile.Mode == "demo" {
return nil, status.Errorf(codes.PermissionDenied, "additional style is not allowed in demo mode")
}
_, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{ _, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
Name: "additional-style", Name: "additional-style",
Value: request.WorkspaceProfile.AdditionalStyle, Value: request.WorkspaceProfile.AdditionalStyle,

6
web/src/components/Settings/SystemSection.tsx
View File

@ -152,7 +152,8 @@ const SystemSection = () => {
name: "additional-style", name: "additional-style",
value: JSON.stringify(state.additionalStyle), value: JSON.stringify(state.additionalStyle),
}); });
} catch (error) { } catch (error: any) {
toast.error(error.response.data.message);
console.error(error); console.error(error);
return; return;
} }
@ -172,7 +173,8 @@ const SystemSection = () => {
name: "additional-script", name: "additional-script",
value: JSON.stringify(state.additionalScript), value: JSON.stringify(state.additionalScript),
}); });
} catch (error) { } catch (error: any) {
toast.error(error.response.data.message);
console.error(error); console.error(error);
return; return;
} }