Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
5eb0487c77
|
|||
|
3f2680671b
|
|||
|
fd06e17d7d
|
@@ -17,13 +17,18 @@ class PermissionMiddleware extends Middleware {
|
||||
req,
|
||||
reason,
|
||||
check,
|
||||
oauth_client_id: req.oauth.client.id,
|
||||
oauth_client_id: req.oauth.client.uuid,
|
||||
})
|
||||
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions (OAuth2 Client).')
|
||||
.api()
|
||||
}
|
||||
|
||||
// If the oauth2 client has this permission, then allow the request to continue,
|
||||
// even if the user does not.
|
||||
// OAuth2Clients need to be able to query users via the API.
|
||||
return next()
|
||||
}
|
||||
|
||||
const policy_denied = await Policy.check_user_denied(req.user, check)
|
||||
|
||||
@@ -7,10 +7,11 @@ class APIRouteMiddleware extends Middleware {
|
||||
|
||||
async test(req, res, next, { allow_token = true, allow_user = true }) {
|
||||
// First, check if there is a user in the session.
|
||||
if ( allow_user && req.is_auth ) {
|
||||
if ( allow_user && req.user ) {
|
||||
return next()
|
||||
} else if ( allow_token ) {
|
||||
if ( !req.oauth ) req.oauth = {}
|
||||
|
||||
return req.app.oauth2.authorise()(req, res, async e => {
|
||||
if ( e ) return next(e)
|
||||
// Look up the OAuth2 client an inject it into the route
|
||||
@@ -52,10 +53,10 @@ class APIRouteMiddleware extends Middleware {
|
||||
|
||||
next()
|
||||
})
|
||||
}
|
||||
|
||||
} else {
|
||||
return res.status(401).api()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = APIRouteMiddleware
|
||||
|
||||
Reference in New Issue
Block a user