From c891a955881ff3dd00261bb9368dc924d1c4219c Mon Sep 17 00:00:00 2001 From: Philip Molares Date: Sun, 6 Feb 2022 22:09:22 +0100 Subject: [PATCH] feat: checkNoteIdOrAlias in more alias service methods This should prevent any interaction by a forbidden id Signed-off-by: Philip Molares --- src/api/private/alias/alias.controller.ts | 7 +++---- src/api/public/alias/alias.controller.ts | 8 ++++---- src/notes/alias.service.ts | 8 +++++++- src/notes/notes.service.ts | 11 +++-------- 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/src/api/private/alias/alias.controller.ts b/src/api/private/alias/alias.controller.ts index aacbc13a5..06876d736 100644 --- a/src/api/private/alias/alias.controller.ts +++ b/src/api/private/alias/alias.controller.ts @@ -21,7 +21,6 @@ import { ApiNotFoundResponse, ApiTags, ApiUnauthorizedResponse, - ApiUnprocessableEntityResponse, } from '@nestjs/swagger'; import { SessionGuard } from '../../../identity/session.guard'; @@ -39,7 +38,6 @@ import { conflictDescription, notFoundDescription, unauthorizedDescription, - unprocessableEntityDescription, } from '../../utils/descriptions'; import { RequestUser } from '../../utils/request-user.decorator'; @@ -58,6 +56,7 @@ export class AliasController { } @Post() + @ApiBadRequestResponse({ description: badRequestDescription }) @ApiConflictResponse({ description: conflictDescription }) @ApiUnauthorizedResponse({ description: unauthorizedDescription }) @ApiNotFoundResponse({ description: notFoundDescription }) @@ -104,8 +103,8 @@ export class AliasController { @HttpCode(204) @ApiUnauthorizedResponse({ description: unauthorizedDescription }) @ApiNotFoundResponse({ description: notFoundDescription }) - @ApiUnprocessableEntityResponse({ - description: unprocessableEntityDescription, + @ApiBadRequestResponse({ + description: badRequestDescription, }) async removeAlias( @RequestUser() user: User, diff --git a/src/api/public/alias/alias.controller.ts b/src/api/public/alias/alias.controller.ts index f77d03652..355540775 100644 --- a/src/api/public/alias/alias.controller.ts +++ b/src/api/public/alias/alias.controller.ts @@ -16,11 +16,11 @@ import { UseGuards, } from '@nestjs/common'; import { + ApiBadRequestResponse, ApiNoContentResponse, ApiOkResponse, ApiSecurity, ApiTags, - ApiUnprocessableEntityResponse, } from '@nestjs/swagger'; import { TokenAuthGuard } from '../../../auth/token.strategy'; @@ -32,7 +32,7 @@ import { AliasService } from '../../../notes/alias.service'; import { NotesService } from '../../../notes/notes.service'; import { PermissionsService } from '../../../permissions/permissions.service'; import { User } from '../../../users/user.entity'; -import { unprocessableEntityDescription } from '../../utils/descriptions'; +import { badRequestDescription } from '../../utils/descriptions'; import { FullApi } from '../../utils/fullapi-decorator'; import { RequestUser } from '../../utils/request-user.decorator'; @@ -103,8 +103,8 @@ export class AliasController { description: 'The alias was deleted', }) @FullApi - @ApiUnprocessableEntityResponse({ - description: unprocessableEntityDescription, + @ApiBadRequestResponse({ + description: badRequestDescription, }) async removeAlias( @RequestUser() user: User, diff --git a/src/notes/alias.service.ts b/src/notes/alias.service.ts index 179541c7e..82eab0ff8 100644 --- a/src/notes/alias.service.ts +++ b/src/notes/alias.service.ts @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file) + * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file) * * SPDX-License-Identifier: AGPL-3.0-only */ @@ -36,6 +36,7 @@ export class AliasService { * @param {Note} note - the note to add the alias to * @param {string} alias - the alias to add to the note * @throws {AlreadyInDBError} the alias is already in use. + * @throws {ForbiddenIdError} the requested id or alias is forbidden * @return {Alias} the new alias */ async addAlias(note: Note, alias: string): Promise { @@ -79,6 +80,7 @@ export class AliasService { * Set the specified alias as the primary alias of the note. * @param {Note} note - the note to change the primary alias * @param {string} alias - the alias to be the new primary alias of the note + * @throws {ForbiddenIdError} the requested id or alias is forbidden * @throws {NotInDBError} the alias is not part of this note. * @return {Alias} the new primary alias */ @@ -87,6 +89,8 @@ export class AliasService { let oldPrimaryId = ''; let newPrimaryId = ''; + this.notesService.checkNoteIdOrAlias(alias); + for (const anAlias of await note.aliases) { // found old primary if (anAlias.primary) { @@ -130,10 +134,12 @@ export class AliasService { * Remove the specified alias from the note. * @param {Note} note - the note to remove the alias from * @param {string} alias - the alias to remove from the note + * @throws {ForbiddenIdError} the requested id or alias is forbidden * @throws {NotInDBError} the alias is not part of this note. * @throws {PrimaryAliasDeletionForbiddenError} the primary alias can only be deleted if it's the only alias */ async removeAlias(note: Note, alias: string): Promise { + this.notesService.checkNoteIdOrAlias(alias); const primaryAlias = await getPrimaryAlias(note); if (primaryAlias === alias && (await note.aliases).length !== 1) { diff --git a/src/notes/notes.service.ts b/src/notes/notes.service.ts index 484c7ce89..f1cf658d8 100644 --- a/src/notes/notes.service.ts +++ b/src/notes/notes.service.ts @@ -157,20 +157,15 @@ export class NotesService { * @param {string} noteIdOrAlias - the notes id or alias * @return {Note} the note * @throws {NotInDBError} there is no note with this id or alias + * @throws {ForbiddenIdError} the requested id or alias is forbidden */ async getNoteByIdOrAlias(noteIdOrAlias: string): Promise { this.logger.debug( `Trying to find note '${noteIdOrAlias}'`, 'getNoteByIdOrAlias', ); - try { - this.checkNoteIdOrAlias(noteIdOrAlias); - } catch (e) { - if (e instanceof ForbiddenIdError) { - throw new NotInDBError(e.message); - } - throw e; - } + + this.checkNoteIdOrAlias(noteIdOrAlias); /** * This query gets the note's aliases, owner, groupPermissions (and the groups), userPermissions (and the users) and tags and