CRSS/Website
3
2
Fork 7
Code Issues 3 Pull requests Actions Projects Activity

fix: fix authorization in user/:id
All checks were successful
Lint Codebase / lint (push) Successful in 1m3s
Details

Browse source
This commit is contained in:
TheClashFruit 2024-09-07 16:56:09 +02:00
parent d9377a9731
commit a4173e24ba
Signed by: TheClashFruit
GPG key ID: 09BB24C34C2F3204
1 changed files with 22 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
pages/api/v1/user/[id].ts
View file

@ -1,7 +1,8 @@
import { ErrorResponse, User } from '@/interfaces';
import Database from '@/lib/Database';
import { reqHasValidToken } from '@/utils/auth_util';
import { getAuthenticatedUser, reqHasValidToken } from '@/utils/auth_util';
import { getPermission, hasPermission, Permission, PermissionNamed } from '@/utils/permissions';
import type { NextApiRequest, NextApiResponse } from 'next';
@ -13,7 +14,22 @@ export default async function handler(
const { id } = req.query;
const valid = await reqHasValidToken(req);
let shouldShowSensitive = false;
// tf was I on?
// const valid = await reqHasValidToken(req);
// thats better
const vUser = await getAuthenticatedUser(req);
if (!vUser)
shouldShowSensitive = false;
if (
hasPermission(getPermission(vUser!.permissions), Permission.SuperAdmin) ||
vUser!.id === BigInt(id as string)
)
shouldShowSensitive = true;
if ((/^\d+$/).test(id as string)) {
let user = await db.getUser((id as string));
@ -24,12 +40,11 @@ export default async function handler(
message: 'User Not Found'
});
// TODO: check if user is admin or itself and show email and discordId
user = {
...user,
email: valid ? user.email : undefined,
discordId: valid ? user.discordId : undefined,
email: shouldShowSensitive ? user.email : undefined,
discordId: shouldShowSensitive ? user.discordId : undefined,
};
res.status(200).json(user);
@ -47,8 +62,8 @@ export default async function handler(
user = {
...user,
email: valid ? user.email : undefined,
discordId: valid ? user.discordId : undefined,
email: shouldShowSensitive ? user.email : undefined,
discordId: shouldShowSensitive ? user.discordId : undefined,
};
res.status(200).json(user);