mirror of
https://github.com/usememos/memos.git
synced 2025-06-05 22:09:59 +02:00
fix: api access checks
This commit is contained in:
Steven
@@ -20,6 +20,7 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {
|
|||||||
if !ok {
|
if !ok {
|
||||||
return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
|
return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
|
||||||
}
|
}
|
||||||
|
|
||||||
memoCreate := &api.MemoCreate{
|
memoCreate := &api.MemoCreate{
|
||||||
CreatorID: userID,
|
CreatorID: userID,
|
||||||
// Private is the default memo visibility.
|
// Private is the default memo visibility.
|
||||||
@@ -28,7 +29,6 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {
|
|||||||
if err := json.NewDecoder(c.Request().Body).Decode(memoCreate); err != nil {
|
if err := json.NewDecoder(c.Request().Body).Decode(memoCreate); err != nil {
|
||||||
return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post memo request").SetInternal(err)
|
return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post memo request").SetInternal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if memoCreate.Content == "" {
|
if memoCreate.Content == "" {
|
||||||
return echo.NewHTTPError(http.StatusBadRequest, "Memo content shouldn't be empty")
|
return echo.NewHTTPError(http.StatusBadRequest, "Memo content shouldn't be empty")
|
||||||
}
|
}
|
||||||
@@ -64,11 +64,24 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {
|
|||||||
|
|
||||||
g.PATCH("/memo/:memoId", func(c echo.Context) error {
|
g.PATCH("/memo/:memoId", func(c echo.Context) error {
|
||||||
ctx := c.Request().Context()
|
ctx := c.Request().Context()
|
||||||
|
userID, ok := c.Get(getUserIDContextKey()).(int)
|
||||||
|
if !ok {
|
||||||
|
return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
|
||||||
|
}
|
||||||
|
|
||||||
memoID, err := strconv.Atoi(c.Param("memoId"))
|
memoID, err := strconv.Atoi(c.Param("memoId"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
|
return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
memoFind := &api.MemoFind{
|
||||||
|
ID: &memoID,
|
||||||
|
CreatorID: &userID,
|
||||||
|
}
|
||||||
|
if _, err := s.Store.FindMemo(ctx, memoFind); err != nil {
|
||||||
|
return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo").SetInternal(err)
|
||||||
|
}
|
||||||
|
|
||||||
memoPatch := &api.MemoPatch{
|
memoPatch := &api.MemoPatch{
|
||||||
ID: memoID,
|
ID: memoID,
|
||||||
}
|
}
|
||||||
@@ -91,7 +104,6 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {
|
|||||||
g.GET("/memo", func(c echo.Context) error {
|
g.GET("/memo", func(c echo.Context) error {
|
||||||
ctx := c.Request().Context()
|
ctx := c.Request().Context()
|
||||||
memoFind := &api.MemoFind{}
|
memoFind := &api.MemoFind{}
|
||||||
|
|
||||||
if userID, err := strconv.Atoi(c.QueryParam("creatorId")); err == nil {
|
if userID, err := strconv.Atoi(c.QueryParam("creatorId")); err == nil {
|
||||||
memoFind.CreatorID = &userID
|
memoFind.CreatorID = &userID
|
||||||
}
|
}
|
||||||
@@ -222,10 +234,12 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {
|
|||||||
return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find memo by ID: %v", memoID)).SetInternal(err)
|
return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find memo by ID: %v", memoID)).SetInternal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
userID, ok := c.Get(getUserIDContextKey()).(int)
|
||||||
if memo.Visibility == api.Privite {
|
if memo.Visibility == api.Privite {
|
||||||
return echo.NewHTTPError(http.StatusForbidden, "this memo is private only")
|
if !ok || memo.CreatorID != userID {
|
||||||
|
return echo.NewHTTPError(http.StatusForbidden, "this memo is private only")
|
||||||
|
}
|
||||||
} else if memo.Visibility == api.Protected {
|
} else if memo.Visibility == api.Protected {
|
||||||
_, ok := c.Get(getUserIDContextKey()).(int)
|
|
||||||
if !ok {
|
if !ok {
|
||||||
return echo.NewHTTPError(http.StatusForbidden, "this memo is protected, missing user in session")
|
return echo.NewHTTPError(http.StatusForbidden, "this memo is protected, missing user in session")
|
||||||
}
|
}
|
||||||
@@ -282,11 +296,24 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {
|
|||||||
|
|
||||||
g.DELETE("/memo/:memoId", func(c echo.Context) error {
|
g.DELETE("/memo/:memoId", func(c echo.Context) error {
|
||||||
ctx := c.Request().Context()
|
ctx := c.Request().Context()
|
||||||
|
userID, ok := c.Get(getUserIDContextKey()).(int)
|
||||||
|
if !ok {
|
||||||
|
return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
|
||||||
|
}
|
||||||
|
|
||||||
memoID, err := strconv.Atoi(c.Param("memoId"))
|
memoID, err := strconv.Atoi(c.Param("memoId"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
|
return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
memoFind := &api.MemoFind{
|
||||||
|
ID: &memoID,
|
||||||
|
CreatorID: &userID,
|
||||||
|
}
|
||||||
|
if _, err := s.Store.FindMemo(ctx, memoFind); err != nil {
|
||||||
|
return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo").SetInternal(err)
|
||||||
|
}
|
||||||
|
|
||||||
memoDelete := &api.MemoDelete{
|
memoDelete := &api.MemoDelete{
|
||||||
ID: memoID,
|
ID: memoID,
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user