fix(security): signing in public folders

This commit is contained in:
KernelDeimos 2024-08-22 21:26:57 -04:00
parent 2d39b9be77
commit 937528f767
3 changed files with 24 additions and 6 deletions

View File

@ -40,6 +40,12 @@ router.get('/file', async (req, res, next)=>{
return res.status(403).send(e); return res.status(403).send(e);
} }
let can_write = false;
try{
validate_signature_auth(get_url_from_req(req), 'write');
can_write = true;
}catch(e){}
const log = req.services.get('log-service').create('/file'); const log = req.services.get('log-service').create('/file');
const errors = req.services.get('error-service').create(log); const errors = req.services.get('error-service').create(log);
@ -80,7 +86,8 @@ router.get('/file', async (req, res, next)=>{
if(children.length>0){ if(children.length>0){
for(const child of children){ for(const child of children){
// sign file // sign file
const signed_child = await sign_file(child, 'write'); const signed_child = await sign_file(child,
can_write ? 'write' : 'read');
signed_children.push(signed_child); signed_children.push(signed_child);
} }
} }

View File

@ -54,11 +54,16 @@ module.exports = eggspress('/open_item', {
} }
const svc_acl = Context.get('services').get('acl'); const svc_acl = Context.get('services').get('acl');
if ( ! await svc_acl.check(actor, subject, 'see') ) { if ( ! await svc_acl.check(actor, subject, 'read') ) {
throw await svc_acl.get_safe_acl_error(actor, subject, 'see'); throw await svc_acl.get_safe_acl_error(actor, subject, 'read');
} }
const signature = await sign_file(subject.entry, 'write'); let action = 'write';
if ( ! await svc_acl.check(actor, subject, 'write') ) {
action = 'read';
}
const signature = await sign_file(subject.entry, action);
const suggested_apps = await suggest_app_for_fsentry(subject.entry); const suggested_apps = await suggest_app_for_fsentry(subject.entry);
console.log('suggested apps?', suggested_apps); console.log('suggested apps?', suggested_apps);
const apps_only_one = suggested_apps.slice(0,1); const apps_only_one = suggested_apps.slice(0,1);

View File

@ -111,8 +111,14 @@ module.exports = eggspress('/sign', {
} }
const svc_acl = Context.get('services').get('acl'); const svc_acl = Context.get('services').get('acl');
if ( ! await svc_acl.check(actor, node, 'see') ) { if ( ! await svc_acl.check(actor, node, 'read') ) {
throw await svc_acl.get_safe_acl_error(actor, node, 'see'); throw await svc_acl.get_safe_acl_error(actor, node, 'read');
}
if ( item.action === 'write' ) {
if ( ! await svc_acl.check(actor, node, 'write') ) {
throw await svc_acl.get_safe_acl_error(actor, node, 'write');
}
} }
if ( app !== null ) { if ( app !== null ) {