This commit is contained in:
syuilo 2023-01-13 14:46:56 +09:00
parent 54ff4e53cb
commit 0a6e237d09
3 changed files with 14 additions and 7 deletions

View file

@ -271,6 +271,17 @@ export class ApiCallService implements OnApplicationShutdown {
}
}
if (ep.meta.requireRoleOption != null && !user!.isRoot) {
const myRole = await this.roleService.getUserRoleOptions(user!.id);
if (!myRole[ep.meta.requireRoleOption]) {
throw new ApiError({
message: 'You are not assigned to a required role.',
code: 'ROLE_PERMISSION_DENIED',
id: '7f86f06f-7e15-4057-8561-f4b6d4ac755a',
});
}
}
if (token && ep.meta.kind && !token.permission.some(p => p === ep.meta.kind)) {
throw new ApiError({
message: 'Your app does not have the necessary permissions to use this endpoint.',

View file

@ -695,6 +695,8 @@ export interface IEndpointMeta {
*/
readonly requireAdmin?: boolean;
readonly requireRoleOption?: string;
/**
*
*

View file

@ -4,12 +4,12 @@ import { Endpoint } from '@/server/api/endpoint-base.js';
import type { RegistrationTicketsRepository } from '@/models/index.js';
import { IdService } from '@/core/IdService.js';
import { DI } from '@/di-symbols.js';
import { RoleService } from '@/core/RoleService.js';
export const meta = {
tags: ['meta'],
requireCredential: true,
requireRoleOption: 'canInvite',
res: {
type: 'object',
@ -39,15 +39,9 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
@Inject(DI.registrationTicketsRepository)
private registrationTicketsRepository: RegistrationTicketsRepository,
private roleService: RoleService,
private idService: IdService,
) {
super(meta, paramDef, async (ps, me) => {
const role = await this.roleService.getUserRoleOptions(me.id);
if (!me.isRoot && !role.canInvite) {
throw new Error('access denied');
}
const code = rndstr({
length: 8,
chars: '2-9A-HJ-NP-Z', // [0-9A-Z] w/o [01IO] (32 patterns)