fix: add rule to check if user is owner of share

stonith404 · stonith404 · commit 2c47b2a28468 · 2022-10-10T23:34:03.000+02:00
diff --git a/backend/src/auth/auth.controller.ts b/backend/src/auth/auth.controller.ts
@@ -6,7 +6,6 @@ import {
   Post,
 } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
-import { UserDTO } from "src/user/dto/user.dto";
 
 import { AuthService } from "./auth.service";
 import { AuthRegisterDTO } from "./dto/authRegister.dto";
diff --git a/backend/src/file/file.controller.ts b/backend/src/file/file.controller.ts
@@ -10,23 +10,21 @@ import {
   UseGuards,
   UseInterceptors,
 } from "@nestjs/common";
-import { ConfigService } from "@nestjs/config";
 import { FileInterceptor } from "@nestjs/platform-express";
 import { Response } from "express";
 import { JwtGuard } from "src/auth/guard/jwt.guard";
 import { FileDownloadGuard } from "src/file/guard/fileDownload.guard";
 import { ShareDTO } from "src/share/dto/share.dto";
+import { ShareOwnerGuard } from "src/share/guard/shareOwner.guard";
 import { ShareSecurityGuard } from "src/share/guard/shareSecurity.guard";
 import { FileService } from "./file.service";
 
 @Controller("shares/:shareId/files")
 export class FileController {
-  constructor(
-    private fileService: FileService,
-    private config: ConfigService
-  ) {}
+  constructor(private fileService: FileService) {}
+
   @Post()
-  @UseGuards(JwtGuard)
+  @UseGuards(JwtGuard, ShareOwnerGuard)
   @UseInterceptors(
     FileInterceptor("file", {
       dest: "./uploads/_temp/",
@@ -43,7 +41,7 @@ export class FileController {
     file: Express.Multer.File,
     @Param("shareId") shareId: string
   ) {
-    return new ShareDTO().from( await this.fileService.create(file, shareId));
+    return new ShareDTO().from(await this.fileService.create(file, shareId));
   }
 
   @Get(":fileId/download")
diff --git a/backend/src/share/guard/shareOwner.guard.ts b/backend/src/share/guard/shareOwner.guard.ts
@@ -0,0 +1,33 @@
+import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
+import { Reflector } from "@nestjs/core";
+import { User } from "@prisma/client";
+import { Request } from "express";
+import { ExtractJwt } from "passport-jwt";
+import { PrismaService } from "src/prisma/prisma.service";
+import { ShareService } from "src/share/share.service";
+
+@Injectable()
+export class ShareOwnerGuard implements CanActivate {
+  constructor(
+    private prisma: PrismaService
+  ) {}
+
+  async canActivate(context: ExecutionContext) {
+    const request: Request = context.switchToHttp().getRequest();
+    const shareId = Object.prototype.hasOwnProperty.call(
+      request.params,
+      "shareId"
+    )
+      ? request.params.shareId
+      : request.params.id;
+
+    const share = await this.prisma.share.findUnique({
+      where: { id: shareId },
+      include: { security: true },
+    });
+
+
+
+    return share.creatorId == (request.user as User).id;
+  }
+}
diff --git a/backend/src/share/share.controller.ts b/backend/src/share/share.controller.ts
@@ -16,6 +16,7 @@ import { MyShareDTO } from "./dto/myShare.dto";
 import { ShareDTO } from "./dto/share.dto";
 import { ShareMetaDataDTO } from "./dto/shareMetaData.dto";
 import { SharePasswordDto } from "./dto/sharePassword.dto";
+import { ShareOwnerGuard } from "./guard/shareOwner.guard";
 import { ShareSecurityGuard } from "./guard/shareSecurity.guard";
 import { ShareService } from "./share.service";
 
@@ -50,14 +51,14 @@ export class ShareController {
   }
 
   @Delete(":id")
-  @UseGuards(JwtGuard)
-  async remove(@Param("id") id: string, @GetUser() user: User) {
-    await this.shareService.remove(id, user.id);
+  @UseGuards(JwtGuard, ShareOwnerGuard)
+  async remove(@Param("id") id: string) {
+    await this.shareService.remove(id);
   }
 
   @Post(":id/complete")
   @HttpCode(202)
-  @UseGuards(JwtGuard)
+  @UseGuards(JwtGuard, ShareOwnerGuard)
   async complete(@Param("id") id: string) {
     return new ShareDTO().from(await this.shareService.complete(id));
   }
diff --git a/backend/src/share/share.service.ts b/backend/src/share/share.service.ts
@@ -132,15 +132,13 @@ export class ShareService {
     return share;
   }
 
-  async remove(shareId: string, userId: string) {
+  async remove(shareId: string) {
     const share = await this.prisma.share.findUnique({
       where: { id: shareId },
     });
 
     if (!share) throw new NotFoundException("Share not found");
 
-    if (share.creatorId != userId) throw new ForbiddenException();
-
     await this.prisma.share.delete({ where: { id: shareId } });
   }
 
diff --git a/frontend/src/pages/account/shares.tsx b/frontend/src/pages/account/shares.tsx
@@ -5,6 +5,7 @@ import {
   Group,
   LoadingOverlay,
   Space,
+  Stack,
   Table,
   Text,
   Title,
@@ -39,14 +40,14 @@ const MyShares = () => {
       </Title>
       {shares.length == 0 ? (
         <Center style={{ height: "70vh" }}>
-          <Group direction="column" align="center" spacing={10}>
+          <Stack align="center" spacing={10}>
             <Title order={3}>It's empty here 👀</Title>
             <Text>You don't have any shares.</Text>
             <Space h={5} />
             <Button component={NextLink} href="/upload" variant="light">
               Create one
             </Button>
-          </Group>
+          </Stack>
         </Center>
       ) : (
         <Table>

Original file line number	Diff line number	Diff line change
`@@ -132,15 +132,13 @@ export class ShareService {`
`132`	`132`	`return share;`
`133`	`133`	`}`
`134`	`134`
`135`		`- async remove(shareId: string, userId: string) {`
	`135`	`+ async remove(shareId: string) {`
`136`	`136`	`const share = await this.prisma.share.findUnique({`
`137`	`137`	`where: { id: shareId },`
`138`	`138`	`});`
`139`	`139`
`140`	`140`	`if (!share) throw new NotFoundException("Share not found");`
`141`	`141`
`142`		`- if (share.creatorId != userId) throw new ForbiddenException();`
`143`		`-`
`144`	`142`	`await this.prisma.share.delete({ where: { id: shareId } });`
`145`	`143`	`}`
`146`	`144`