This commit is contained in:
syuilo 2023-01-13 14:46:56 +09:00
parent 54ff4e53cb
commit 0a6e237d09
3 changed files with 14 additions and 7 deletions

View File

@ -271,6 +271,17 @@ export class ApiCallService implements OnApplicationShutdown {
} }
} }
if (ep.meta.requireRoleOption != null && !user!.isRoot) {
const myRole = await this.roleService.getUserRoleOptions(user!.id);
if (!myRole[ep.meta.requireRoleOption]) {
throw new ApiError({
message: 'You are not assigned to a required role.',
code: 'ROLE_PERMISSION_DENIED',
id: '7f86f06f-7e15-4057-8561-f4b6d4ac755a',
});
}
}
if (token && ep.meta.kind && !token.permission.some(p => p === ep.meta.kind)) { if (token && ep.meta.kind && !token.permission.some(p => p === ep.meta.kind)) {
throw new ApiError({ throw new ApiError({
message: 'Your app does not have the necessary permissions to use this endpoint.', message: 'Your app does not have the necessary permissions to use this endpoint.',

View File

@ -695,6 +695,8 @@ export interface IEndpointMeta {
*/ */
readonly requireAdmin?: boolean; readonly requireAdmin?: boolean;
readonly requireRoleOption?: string;
/** /**
* *
* *

View File

@ -4,12 +4,12 @@ import { Endpoint } from '@/server/api/endpoint-base.js';
import type { RegistrationTicketsRepository } from '@/models/index.js'; import type { RegistrationTicketsRepository } from '@/models/index.js';
import { IdService } from '@/core/IdService.js'; import { IdService } from '@/core/IdService.js';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
import { RoleService } from '@/core/RoleService.js';
export const meta = { export const meta = {
tags: ['meta'], tags: ['meta'],
requireCredential: true, requireCredential: true,
requireRoleOption: 'canInvite',
res: { res: {
type: 'object', type: 'object',
@ -39,15 +39,9 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
@Inject(DI.registrationTicketsRepository) @Inject(DI.registrationTicketsRepository)
private registrationTicketsRepository: RegistrationTicketsRepository, private registrationTicketsRepository: RegistrationTicketsRepository,
private roleService: RoleService,
private idService: IdService, private idService: IdService,
) { ) {
super(meta, paramDef, async (ps, me) => { super(meta, paramDef, async (ps, me) => {
const role = await this.roleService.getUserRoleOptions(me.id);
if (!me.isRoot && !role.canInvite) {
throw new Error('access denied');
}
const code = rndstr({ const code = rndstr({
length: 8, length: 8,
chars: '2-9A-HJ-NP-Z', // [0-9A-Z] w/o [01IO] (32 patterns) chars: '2-9A-HJ-NP-Z', // [0-9A-Z] w/o [01IO] (32 patterns)