fix(security): signing in public folders

2024-11-14 22:06:00 +00:00 · 2024-08-22 21:26:57 -04:00 · 2024-08-22 21:26:57 -04:00 · 937528f767
commit 937528f767
parent 2d39b9be77
3 changed files with 24 additions and 6 deletions
--- a/src/backend/src/routers/file.js
+++ b/src/backend/src/routers/file.js
@ -40,6 +40,12 @@ router.get('/file', async (req, res, next)=>{
        return res.status(403).send(e);
    }
    
+    let can_write = false;
+    try{
+        validate_signature_auth(get_url_from_req(req), 'write');
+        can_write = true;
+    }catch(e){}
+
    const log = req.services.get('log-service').create('/file');
    const errors = req.services.get('error-service').create(log);

@ -80,7 +86,8 @@ router.get('/file', async (req, res, next)=>{
        if(children.length>0){
            for(const child of children){
                // sign file
-                const signed_child = await sign_file(child, 'write');
+                const signed_child = await sign_file(child,
+                    can_write ? 'write' : 'read');
                signed_children.push(signed_child);
            }
        }
--- a/src/backend/src/routers/open_item.js
+++ b/src/backend/src/routers/open_item.js
@ -54,11 +54,16 @@ module.exports = eggspress('/open_item', {
    }

    const svc_acl = Context.get('services').get('acl');
-    if ( ! await svc_acl.check(actor, subject, 'see') ) {
-        throw await svc_acl.get_safe_acl_error(actor, subject, 'see');
+    if ( ! await svc_acl.check(actor, subject, 'read') ) {
+        throw await svc_acl.get_safe_acl_error(actor, subject, 'read');
    }
    
-    const signature = await sign_file(subject.entry, 'write');
+    let action = 'write';
+    if ( ! await svc_acl.check(actor, subject, 'write') ) {
+        action = 'read';
+    }
+
+    const signature = await sign_file(subject.entry, action);
    const suggested_apps = await suggest_app_for_fsentry(subject.entry);
    console.log('suggested apps?', suggested_apps);
    const apps_only_one = suggested_apps.slice(0,1);
--- a/src/backend/src/routers/sign.js
+++ b/src/backend/src/routers/sign.js
@ -111,8 +111,14 @@ module.exports = eggspress('/sign', {
        }

        const svc_acl = Context.get('services').get('acl');
-        if ( ! await svc_acl.check(actor, node, 'see') ) {
-            throw await svc_acl.get_safe_acl_error(actor, node, 'see');
+        if ( ! await svc_acl.check(actor, node, 'read') ) {
+            throw await svc_acl.get_safe_acl_error(actor, node, 'read');
+        }
+        
+        if ( item.action === 'write' ) {
+            if ( ! await svc_acl.check(actor, node, 'write') ) {
+                throw await svc_acl.get_safe_acl_error(actor, node, 'write');
+            }
        }

        if ( app !== null ) {