Skip to content

Commit

Permalink
Properly check if content can be embedded (#385)
Browse files Browse the repository at this point in the history
  • Loading branch information
@denishov
denishov committed Dec 29, 2023
1 parent b1599e4 commit 19fb533
Showing 1 changed file with 16 additions and 6 deletions.
22 changes: 16 additions & 6 deletions controller/project/project.controller.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -712,25 +712,35 @@ const deleteProject = async function (req, res) {
}
};

// eslint-disable-next-line max-statements
const embed = async function (req, res) {
let loggedUser = 'anonymous';
if (req.isAuthenticated()) {
loggedUser = req.user.username;
}

const refererURL = new URL(req.headers.referer);
const disallowedDomains = req.user.authorizedHostsForEmbedding.split('\n') || [];
if (disallowedDomains.include(refererURL.host)) {
return res.status(403).send('Not authorized to embed this project');
}

const json = await req.db.get('project').findOne({ shortname: req.params.projectName, backup: { $exists: 0 } });
if (json) {
if (!AccessControlService.hasFilesAccess(AccessLevel.VIEW, json, loggedUser)) {
res.status(401).send('Authorization required');

return;
}

const {referer} = req.headers;
let isEmbeddingDisallowed = true;

if (referer) {
const refererURL = new URL(req.headers.referer);
const user = await req.db.get('user').findOne({ nickname: json.owner });
const disallowedDomains = user.authorizedHostsForEmbedding ? user.authorizedHostsForEmbedding.split('\n') : [];
isEmbeddingDisallowed = disallowedDomains.includes(refererURL.host);
}

if (isEmbeddingDisallowed) {
return res.status(403).send('Not authorized to embed this project');
}

json.files.list = [];
res.render('embed', {
projectInfo: JSON.stringify(json),
Expand Down

0 comments on commit 19fb533

Please sign in to comment.