From c4e0e28033b14a7324067dc1c7c56ac3d3a51620 Mon Sep 17 00:00:00 2001 From: Alex Layton Date: Sun, 15 Aug 2021 00:52:08 -0400 Subject: [PATCH] Fix safety checks for /bookmarks and /shares --- oada/services/http-handler/src/resources.ts | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/oada/services/http-handler/src/resources.ts b/oada/services/http-handler/src/resources.ts index 20030d34..9b186e6d 100644 --- a/oada/services/http-handler/src/resources.ts +++ b/oada/services/http-handler/src/resources.ts @@ -100,10 +100,7 @@ const plugin: FastifyPluginAsync = async function (fastify, opts) { // log request.log.info('Graph lookup: %s => %s', fullpath, url); // Remove `/resources`? idek - request.requestContext.set( - 'oadaPath', - url.replace(/^\/?resources\//, '/') - ); + request.requestContext.set('oadaPath', url); reply.header('Content-Location', '/' + url); } else { reply.header('Content-Location', '/' + fullpath); @@ -476,7 +473,7 @@ const plugin: FastifyPluginAsync = async function (fastify, opts) { // Don't let users delete their shares? noModifyShares(request, reply); // Don't let users DELETE their bookmarks? - if (path === '/' + user['bookmarks_id']) { + if (path === user.bookmarks_id) { return reply.forbidden('User cannot delete their bookmarks'); } @@ -487,7 +484,7 @@ const plugin: FastifyPluginAsync = async function (fastify, opts) { // Switch to DELETE on parent resource const id = oadaGraph.from['resource_id']; const pathlo = oadaGraph.from['path_leftover']; - path = '/' + id.replace(/^\/?resources\//, '') + pathlo; + path = '/' + id + pathlo; oadaGraph = oadaGraph.from; // parent resource DOES exist, // but linked resource may or may not have existed