Feat: strengthen permission

2022-12-22 21:24:42 +08:00 · 2022-12-22 21:24:42 +08:00 · ef8b87075f
commit ef8b87075f
parent a322a3bfac
2 changed files with 17 additions and 1 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -211,6 +211,12 @@
        "@types/node": "*"
      }
    },
+    "@types/bcryptjs": {
+      "version": "2.4.2",
+      "resolved": "https://registry.npmjs.org/@types/bcryptjs/-/bcryptjs-2.4.2.tgz",
+      "integrity": "sha512-LiMQ6EOPob/4yUL66SZzu6Yh77cbzJFYll+ZfaPiPPFswtIlA/Fs1MzdKYA7JApHU49zQTbJGX3PDmCpIdDBRQ==",
+      "dev": true
+    },
    "@types/body-parser": {
      "version": "1.19.1",
      "resolved": "https://registry.npmjs.org/@types/body-parser/-/body-parser-1.19.1.tgz",
@ -848,6 +854,11 @@
      "resolved": "https://registry.npmjs.org/base64id/-/base64id-2.0.0.tgz",
      "integrity": "sha512-lGe34o6EHj9y3Kts9R4ZYs/Gr+6N7MCaMlIFA3F1R2O5/m7K06AxfSeO5530PEERE6/WyEg3lsuyw4GHlPZHog=="
    },
+    "bcryptjs": {
+      "version": "2.4.3",
+      "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-2.4.3.tgz",
+      "integrity": "sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ=="
+    },
    "binary-extensions": {
      "version": "2.2.0",
      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.2.0.tgz",
@ -2513,7 +2524,7 @@
    "object-assign": {
      "version": "4.1.1",
      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
-      "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg=="
+      "integrity": "sha1-IQmtx5ZYh8/AXLvUQsrIv7s2CGM="
    },
    "object-inspect": {
      "version": "1.11.0",
--- a/src/app/routers/protected/user_instance_router.ts
+++ b/src/app/routers/protected/user_instance_router.ts
@ -150,6 +150,11 @@ router.post(
      const serviceUuid = String(ctx.query.remote_uuid);
      const instanceUuid = String(ctx.query.uuid);
      const taskName = String(ctx.query.task_name);
+      // some asynchronous tasks are only allowed for administrators
+      const needAdminTask = ["quick_install"];
+      if (needAdminTask.includes(taskName) && !isTopPermissionByUuid(ctx.session["uuid"])) {
+        throw new Error("illegal access");
+      }
      const parameter = ctx.request.body;
      const remoteService = RemoteServiceSubsystem.getInstance(serviceUuid);
      const result = await new RemoteRequest(remoteService).request("instance/asynchronous", {