fix: admin permissions + restrict nav settings

4f16dd0c · NGPixel · 10f17c57 · 4f16dd0c · 4f16dd0c
Commit 4f16dd0c authored Jul 19, 2020 by NGPixel
Show whitespace changes
Inline Side-by-side

Showing with 16 additions and 2 deletions

common.js server/controllers/common.js +14 -0

navigation.graphql server/graph/schemas/navigation.graphql +2 -2

No files found.
--- a/server/controllers/common.js
+++ b/server/controllers/common.js
@@ -36,6 +36,20 @@ router.get('/healthz', (req, res, next) => {
 * Administration
 */
 router.get(['/a', '/a/*'], (req, res, next) => {
+  if (!WIKI.auth.checkAccess(req.user, [
+    'manage:system',
+    'write:users',
+    'manage:users',
+    'write:groups',
+    'manage:groups',
+    'manage:navigation',
+    'manage:theme',
+    'manage:api'
+  ])) {
+    _.set(res.locals, 'pageMeta.title', 'Unauthorized')
+    return res.render('unauthorized', { action: 'view' })
+  }
  _.set(res.locals, 'pageMeta.title', 'Admin')
  res.render('admin')
 })

--- a/server/graph/schemas/navigation.graphql
+++ b/server/graph/schemas/navigation.graphql
@@ -15,8 +15,8 @@ extend type Mutation {
 # -----------------------------------------------
 type NavigationQuery {
-  tree: [NavigationTree]!
+  tree: [NavigationTree]! @auth(requires: ["manage:navigation", "manage:system"])
-  config: NavigationConfig!
+  config: NavigationConfig! @auth(requires: ["manage:navigation", "manage:system"])
 }
 # -----------------------------------------------