GH-1473 Validate permissions in upload & trash components (Fix #1473)

dzikoysk · Jul 22, 2022 · d075eba · d075eba
1 parent e3156c4
commit d075eba
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 6 deletions.
diff --git a/reposilite-frontend/src/components/browser/FileBrowserView.vue b/reposilite-frontend/src/components/browser/FileBrowserView.vue
@@ -35,7 +35,7 @@ const props = defineProps({
 
 const parentPath = ref('')
 const files = ref({})
-const { client, isManager } = useSession()
+const { client, hasPermissionTo } = useSession()
 const { applyAdjustments } = useAdjustments()
 
 const processedFiles = computed(() => ({
@@ -104,7 +104,7 @@ watch(
             :files="processedFiles" 
           />
           <BrowserUpload 
-            v-if="isManager && qualifier.path.length > 1"
+            v-if="qualifier.path.length > 1 && hasPermissionTo(`/${qualifier.path}`, 'route:write')"
             :qualifier="qualifier"
           />
         </div>

diff --git a/reposilite-frontend/src/components/browser/ListEntry.vue b/reposilite-frontend/src/components/browser/ListEntry.vue
@@ -16,6 +16,7 @@
 
 <script setup>
 import prettyBytes from 'pretty-bytes'
+import { useSession } from '../../store/session'
 import EyeIcon from '../icons/EyeIcon.vue'
 import TrashIcon from '../icons/TrashIcon.vue'
 
@@ -38,8 +39,11 @@ const props = defineProps({
   }
 })
 
+const { hasPermissionTo } = useSession()
+
 const isHumanReadable =
-  ['application/xml', 'text/plain', 'text/xml', 'text/markdown', 'application/json'].some(type => props.file?.contentType == type)
+  ['application/xml', 'text/plain', 'text/xml', 'text/markdown', 'application/json']
+    .some(type => props.file?.contentType == type)
 
 const openUrl = (url) =>
   window.open(url)
@@ -63,7 +67,7 @@ const openUrl = (url) =>
           v-on:click.stop
         />
         <TrashIcon
-          v-if="qualifier.path.length > 1"
+          v-if="qualifier.path.length > 1 && hasPermissionTo(`/${qualifier.path}`, 'route:write')"
           id="delete-button"
           class="px-1 mr-6 pt-0.4 rounded-full text-purple-300 hover:(transition-colors duration-200 bg-gray-100 dark:bg-gray-900)"
           @click.left.prevent="openDeleteEntryModal(file.name)"

diff --git a/reposilite-frontend/src/store/session.js b/reposilite-frontend/src/store/session.js
@@ -22,6 +22,8 @@ const token = ref({
   secret: localStorage.getItem('token-secret') || '',
 })
 
+const details = ref()
+
 watchEffect(() => {
   localStorage.setItem('token-name', token.value.name)
   localStorage.setItem('token-secret', token.value.secret)
@@ -30,8 +32,6 @@ watchEffect(() => {
 const setToken = (name, secret) =>
   token.value = { name, secret }
 
-const details = ref()
-
 const logout = () => {
   details.value = undefined
   setToken('', '')
@@ -52,6 +52,18 @@ const client = computed(() => createClient(token.value.name, token.value.secret)
 const isLogged = computed(() => details.value !== undefined)
 const isManager = computed(() => details.value?.permissions?.find(entry => entry.identifier === 'access-token:manager'))
 
+const hasPermissionTo = (path, permission) => {
+  if (isManager.value) {
+    return true
+  }
+
+  if (details.value == null) {
+    return
+  }
+
+  return details.value.routes.find(route => path.startsWith(route.path) && route.permission.identifier == permission)
+}
+
 export function useSession() {
   return {
     token,
@@ -61,6 +73,7 @@ export function useSession() {
     isLogged,
     client,
     isManager,
+    hasPermissionTo,
     initializeSession
   }
 }