mirrors/TiddlyWiki5
1
0
Fork 0
mirror of https://github.com/Jermolene/TiddlyWiki5 synced 2025-01-22 23:16:53 +00:00
Code Issues Releases Wiki Activity

#8849 fixed 403 error on ACL page (#8851)

Browse Source
This commit is contained in:
webplusai 2024-12-23 10:15:54 +00:00 committed by GitHub
parent 1f1b785524
commit faf5d6982e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/get-acl.js
View File

@ -39,7 +39,7 @@ exports.handler = function (request, response, state) {
var permissions = state.server.sqlTiddlerDatabase.listPermissions(); var permissions = state.server.sqlTiddlerDatabase.listPermissions();
// This ensures that the user attempting to view the ACL management page has permission to do so // This ensures that the user attempting to view the ACL management page has permission to do so
if(!state.authenticatedUser || (recipeAclRecords.length > 0 && !sqlTiddlerDatabase.hasRecipePermission(state.authenticatedUser.user_id, recipeName, 'WRITE'))){ if(!state.authenticatedUser?.isAdmin && (!state.authenticatedUser || (recipeAclRecords.length > 0 && !sqlTiddlerDatabase.hasRecipePermission(state.authenticatedUser.user_id, recipeName, 'WRITE')))){
response.writeHead(403, "Forbidden"); response.writeHead(403, "Forbidden");
response.end(); response.end();
return return

4
plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/get-index.js
View File

@ -31,8 +31,8 @@ exports.handler = function(request,response,state) {
"Content-Type": "text/html" "Content-Type": "text/html"
}); });
// filter bags and recipies by user's read access from ACL // filter bags and recipies by user's read access from ACL
var allowedRecipes = recipeList.filter(recipe => recipe.recipe_name.startsWith("$:/") || sqlTiddlerDatabase.hasRecipePermission(state.authenticatedUser?.user_id, recipe.recipe_name, 'READ') || state.allowAnon && state.allowAnonReads); var allowedRecipes = recipeList.filter(recipe => recipe.recipe_name.startsWith("$:/") || state.authenticatedUser?.isAdmin || sqlTiddlerDatabase.hasRecipePermission(state.authenticatedUser?.user_id, recipe.recipe_name, 'READ') || state.allowAnon && state.allowAnonReads);
var allowedBags = bagList.filter(bag => bag.bag_name.startsWith("$:/") || sqlTiddlerDatabase.hasBagPermission(state.authenticatedUser?.user_id, bag.bag_name, 'READ') || state.allowAnon && state.allowAnonReads); var allowedBags = bagList.filter(bag => bag.bag_name.startsWith("$:/") || state.authenticatedUser?.isAdmin || sqlTiddlerDatabase.hasBagPermission(state.authenticatedUser?.user_id, bag.bag_name, 'READ') || state.allowAnon && state.allowAnonReads);
// Render the html // Render the html
var html = $tw.mws.store.adminWiki.renderTiddler("text/plain","$:/plugins/tiddlywiki/multiwikiserver/templates/page",{ var html = $tw.mws.store.adminWiki.renderTiddler("text/plain","$:/plugins/tiddlywiki/multiwikiserver/templates/page",{

6
plugins/tiddlywiki/multiwikiserver/modules/routes/helpers/acl-middleware.js
View File

@ -51,6 +51,12 @@ exports.middleware = function (request, response, state, entityType, permissionN
var hasAnonymousAccess = state.allowAnon ? (isGetRequest ? state.allowAnonReads : state.allowAnonWrites) : false; var hasAnonymousAccess = state.allowAnon ? (isGetRequest ? state.allowAnonReads : state.allowAnonWrites) : false;
var anonymousAccessConfigured = state.anonAccessConfigured; var anonymousAccessConfigured = state.anonAccessConfigured;
var entity = sqlTiddlerDatabase.getEntityByName(entityType, decodedEntityName); var entity = sqlTiddlerDatabase.getEntityByName(entityType, decodedEntityName);
var isAdmin = state.authenticatedUser?.isAdmin;
if(isAdmin) {
return;
}
if(entity?.owner_id) { if(entity?.owner_id) {
if(state.authenticatedUser?.user_id && (state.authenticatedUser?.user_id !== entity.owner_id) || !state.authenticatedUser?.user_id && !hasAnonymousAccess) { if(state.authenticatedUser?.user_id && (state.authenticatedUser?.user_id !== entity.owner_id) || !state.authenticatedUser?.user_id && !hasAnonymousAccess) {
const hasPermission = state.authenticatedUser?.user_id ? const hasPermission = state.authenticatedUser?.user_id ?