Only show user list to logged in users with appropriate permissions

floscher · floscher · commit 59f978c0ce59 · 2024-08-01T12:00:07.000+02:00
diff --git a/client/src/util/api-client.ts b/client/src/util/api-client.ts
@@ -90,7 +90,7 @@ export class AuthEndpoints {
   static async getLoggedInUser(): Promise<LoggedInUserInfo> {
     const token = loadIdToken();
     if (token) {
-      return callServer<null, JsonMimeType, LoggedInUserInfo>("/api/auth/loggedInUser/", "POST", "application/json");
+      return callServer<null, JsonMimeType, LoggedInUserInfo>("/api/utility/loggedInUser", "POST", "application/json");
     }
     return Promise.reject();
   }
diff --git a/server/src/routes/admin.ts b/server/src/routes/admin.ts
@@ -1,11 +1,17 @@
-import { toProviderId, UserWithOAuthProviders } from "@fumix/fu-blog-common";
+import { LoggedInUserInfo, toProviderId, UserWithOAuthProviders } from "@fumix/fu-blog-common";
+import { authMiddleware } from "../service/middleware/auth.js";
 import express, { Request, Response, Router } from "express";
 import { AppDataSource } from "../data-source.js";
 import { OAuthAccountEntity } from "../entity/OAuthAccount.entity.js";
 
 const router: Router = express.Router();
 
-router.get("/users", async (req, res, next) => {
+router.get("/users", authMiddleware, async (req, res, next) => {
+  const loggedInUser: LoggedInUserInfo | undefined = await req.loggedInUser?.();
+  if (loggedInUser?.permissions?.canEditUserRoles ?? true) {
+    return res.status(401).json({ message: "Unauthorized" });
+  }
+
   await AppDataSource.manager
     .getRepository(OAuthAccountEntity)
     .find({ relations: { user: true }, order: { user: { id: "ASC" } } })
diff --git a/server/src/routes/auth.ts b/server/src/routes/auth.ts
@@ -97,16 +97,6 @@ async function getAuthorizationUrl(
   }
 }
 
-router.post("/loggedInUser", authMiddleware, async (req, res) => {
-  const account = await req.loggedInUser?.();
-
-  if (account) {
-    res.status(200).json(account);
-  } else {
-    res.status(403).json({ error: "Unauthorized" });
-  }
-});
-
 /**
  * Endpoint to get a {@link OAuthUserInfoDto}.
  *
diff --git a/server/src/routes/utility.ts b/server/src/routes/utility.ts
@@ -116,4 +116,14 @@ router.post("/dallEGenerateImage", authMiddleware, async (req, res, next) => {
     .catch((e) => res.status(502).json({ error: e }));
 });
 
+router.post("/loggedInUser", authMiddleware, async (req, res) => {
+  const account = await req.loggedInUser?.();
+
+  if (account) {
+    res.status(200).json(account);
+  } else {
+    res.status(403).json({ error: "Unauthorized" });
+  }
+});
+
 export default router;

Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ export class AuthEndpoints {`
`90`	`90`	`static async getLoggedInUser(): Promise<LoggedInUserInfo> {`
`91`	`91`	`const token = loadIdToken();`
`92`	`92`	`if (token) {`
`93`		`- return callServer<null, JsonMimeType, LoggedInUserInfo>("/api/auth/loggedInUser/", "POST", "application/json");`
	`93`	`+ return callServer<null, JsonMimeType, LoggedInUserInfo>("/api/utility/loggedInUser", "POST", "application/json");`
`94`	`94`	`}`
`95`	`95`	`return Promise.reject();`
`96`	`96`	`}`
Original file line number	Diff line number	Diff line change
`@@ -97,16 +97,6 @@ async function getAuthorizationUrl(`
`97`	`97`	`}`
`98`	`98`	`}`
`99`	`99`
`100`		`-router.post("/loggedInUser", authMiddleware, async (req, res) => {`
`101`		`- const account = await req.loggedInUser?.();`
`102`		`-`
`103`		`- if (account) {`
`104`		`- res.status(200).json(account);`
`105`		`- } else {`
`106`		`- res.status(403).json({ error: "Unauthorized" });`
`107`		`- }`
`108`		`-});`
`109`		`-`
`110`	`100`	`/**`
`111`	`101`	`* Endpoint to get a {@link OAuthUserInfoDto}.`
`112`	`102`	`*`