From ef8b87075f4352f5e4a12da1e1a141e00f83bc50 Mon Sep 17 00:00:00 2001
From: unitwk <unitwk@outlook.com>
Date: Thu, 22 Dec 2022 21:24:42 +0800
Subject: [PATCH] Feat: strengthen permission

---
 package-lock.json                                 | 13 ++++++++++++-
 src/app/routers/protected/user_instance_router.ts |  5 +++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/package-lock.json b/package-lock.json
index dda89a3..9d5ae91 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -211,6 +211,12 @@
         "@types/node": "*"
       }
     },
+    "@types/bcryptjs": {
+      "version": "2.4.2",
+      "resolved": "https://registry.npmjs.org/@types/bcryptjs/-/bcryptjs-2.4.2.tgz",
+      "integrity": "sha512-LiMQ6EOPob/4yUL66SZzu6Yh77cbzJFYll+ZfaPiPPFswtIlA/Fs1MzdKYA7JApHU49zQTbJGX3PDmCpIdDBRQ==",
+      "dev": true
+    },
     "@types/body-parser": {
       "version": "1.19.1",
       "resolved": "https://registry.npmjs.org/@types/body-parser/-/body-parser-1.19.1.tgz",
@@ -848,6 +854,11 @@
       "resolved": "https://registry.npmjs.org/base64id/-/base64id-2.0.0.tgz",
       "integrity": "sha512-lGe34o6EHj9y3Kts9R4ZYs/Gr+6N7MCaMlIFA3F1R2O5/m7K06AxfSeO5530PEERE6/WyEg3lsuyw4GHlPZHog=="
     },
+    "bcryptjs": {
+      "version": "2.4.3",
+      "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-2.4.3.tgz",
+      "integrity": "sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ=="
+    },
     "binary-extensions": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.2.0.tgz",
@@ -2513,7 +2524,7 @@
     "object-assign": {
       "version": "4.1.1",
       "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
-      "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg=="
+      "integrity": "sha1-IQmtx5ZYh8/AXLvUQsrIv7s2CGM="
     },
     "object-inspect": {
       "version": "1.11.0",
diff --git a/src/app/routers/protected/user_instance_router.ts b/src/app/routers/protected/user_instance_router.ts
index b2c0a2a..15bd48b 100755
--- a/src/app/routers/protected/user_instance_router.ts
+++ b/src/app/routers/protected/user_instance_router.ts
@@ -150,6 +150,11 @@ router.post(
       const serviceUuid = String(ctx.query.remote_uuid);
       const instanceUuid = String(ctx.query.uuid);
       const taskName = String(ctx.query.task_name);
+      // some asynchronous tasks are only allowed for administrators
+      const needAdminTask = ["quick_install"];
+      if (needAdminTask.includes(taskName) && !isTopPermissionByUuid(ctx.session["uuid"])) {
+        throw new Error("illegal access");
+      }
       const parameter = ctx.request.body;
       const remoteService = RemoteServiceSubsystem.getInstance(serviceUuid);
       const result = await new RemoteRequest(remoteService).request("instance/asynchronous", {