Align Manager API access with frontend access
GHSA-wfq3-65gm-3g2p
This commit is contained in:
Timothy Carambat
parent
e7ebeb47fc
commit
732eac6fa8
@ -316,6 +316,7 @@ const SidebarOptions = ({ user = null, t }) => (
|
|||||||
className="h-5 w-5 flex-shrink-0 light:invert"
|
className="h-5 w-5 flex-shrink-0 light:invert"
|
||||||
/>
|
/>
|
||||||
}
|
}
|
||||||
|
user={user}
|
||||||
childOptions={[
|
childOptions={[
|
||||||
{
|
{
|
||||||
btnText: t("settings.community-hub.trending"),
|
btnText: t("settings.community-hub.trending"),
|
||||||
|
|||||||
@ -324,6 +324,7 @@ function adminEndpoints(app) {
|
|||||||
[validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
|
[validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
|
||||||
async (request, response) => {
|
async (request, response) => {
|
||||||
try {
|
try {
|
||||||
|
const user = await userFromSession(request, response);
|
||||||
const requestedSettings = {};
|
const requestedSettings = {};
|
||||||
const labels = request.query.labels?.split(",") || [];
|
const labels = request.query.labels?.split(",") || [];
|
||||||
const needEmbedder = [
|
const needEmbedder = [
|
||||||
@ -339,10 +340,27 @@ function adminEndpoints(app) {
|
|||||||
"meta_page_favicon",
|
"meta_page_favicon",
|
||||||
];
|
];
|
||||||
|
|
||||||
|
// Managers can only read a limited set of settings.
|
||||||
|
// These match the ManagerRoute pages in the frontend.
|
||||||
|
const managerAllowedFields = [
|
||||||
|
"custom_app_name",
|
||||||
|
"footer_data",
|
||||||
|
"support_email",
|
||||||
|
"meta_page_title",
|
||||||
|
"meta_page_favicon",
|
||||||
|
];
|
||||||
|
|
||||||
for (const label of labels) {
|
for (const label of labels) {
|
||||||
// Skip any settings that are not explicitly defined as public
|
// Skip any settings that are not explicitly defined as public
|
||||||
if (!SystemSettings.publicFields.includes(label)) continue;
|
if (!SystemSettings.publicFields.includes(label)) continue;
|
||||||
|
|
||||||
|
// Managers can only read manager-allowed fields
|
||||||
|
if (
|
||||||
|
user?.role === ROLES.manager &&
|
||||||
|
!managerAllowedFields.includes(label)
|
||||||
|
)
|
||||||
|
continue;
|
||||||
|
|
||||||
// Only get the embedder if the setting actually needs it
|
// Only get the embedder if the setting actually needs it
|
||||||
let embedder = needEmbedder.includes(label)
|
let embedder = needEmbedder.includes(label)
|
||||||
? getEmbeddingEngineSelection()
|
? getEmbeddingEngineSelection()
|
||||||
@ -419,7 +437,29 @@ function adminEndpoints(app) {
|
|||||||
[validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
|
[validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
|
||||||
async (request, response) => {
|
async (request, response) => {
|
||||||
try {
|
try {
|
||||||
const updates = reqBody(request);
|
const user = await userFromSession(request, response);
|
||||||
|
let updates = reqBody(request);
|
||||||
|
|
||||||
|
// Managers can only update a limited set of settings.
|
||||||
|
// These match the ManagerRoute pages in the frontend.
|
||||||
|
// Admin users can update all supportedFields without restriction.
|
||||||
|
if (user?.role === ROLES.manager) {
|
||||||
|
const managerAllowedFields = [
|
||||||
|
"custom_app_name",
|
||||||
|
"footer_data",
|
||||||
|
"support_email",
|
||||||
|
"meta_page_title",
|
||||||
|
"meta_page_favicon",
|
||||||
|
];
|
||||||
|
const filteredUpdates = {};
|
||||||
|
for (const key of Object.keys(updates)) {
|
||||||
|
if (managerAllowedFields.includes(key)) {
|
||||||
|
filteredUpdates[key] = updates[key];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
updates = filteredUpdates;
|
||||||
|
}
|
||||||
|
|
||||||
await SystemSettings.updateSettings(updates);
|
await SystemSettings.updateSettings(updates);
|
||||||
response.status(200).json({ success: true, error: null });
|
response.status(200).json({ success: true, error: null });
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user