chrisryn/requestarr
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
This PR fixes a security issue where authenticated users could access and modify data belonging to
other users. The isOwnProfileOrAdmin() middleware was missing from several push subscription API
routes. As a result, any authenticated user on the instance could manipulate the userId parameter in
the URL to view or delete the push subscriptions of other users.
This commit is contained in:
Gauthier
2026-02-27 17:58:50 +01:00
committed by GitHub
parent 4f089b29d0
commit 946bdecec5
3 changed files with 45 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
server/utils/profileMiddleware.ts Normal file
View File

@@ -0,0 +1,30 @@
import { Permission } from '@server/lib/permissions';
export const isOwnProfile = (): Middleware => {
return (req, res, next) => {
if (req.user?.id !== Number(req.params.id)) {
return next({
status: 403,
message: "You do not have permission to view this user's settings.",
});
}
next();
};
};
export const isOwnProfileOrAdmin = (): Middleware => {
const authMiddleware: Middleware = (req, res, next) => {
if (
!req.user?.hasPermission(Permission.MANAGE_USERS) &&
req.user?.id !== Number(req.params.id)
) {
return next({
status: 403,
message: "You do not have permission to view this user's settings.",
});
}
next();
};
return authMiddleware;
};