From d5cde8b7c27a47ab45b05b441db16751537f1733 Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Mon, 22 Jan 2024 14:31:19 -0800
Subject: [PATCH] Apply permissioning on document modification endpoints (#637)
---
server/endpoints/system.js | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index 14aa22e04..4eb82fb0a 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -189,7 +189,7 @@ function systemEndpoints(app) {
app.get(
"/system/system-vectors",
- [validatedRequest],
+ [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
async (request, response) => {
try {
const query = queryParams(request);
@@ -207,7 +207,7 @@ function systemEndpoints(app) {
app.delete(
"/system/remove-document",
- [validatedRequest],
+ [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
async (request, response) => {
try {
const { name } = reqBody(request);
@@ -222,7 +222,7 @@ function systemEndpoints(app) {
app.delete(
"/system/remove-folder",
- [validatedRequest],
+ [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
async (request, response) => {
try {
const { name } = reqBody(request);
@@ -235,15 +235,19 @@ function systemEndpoints(app) {
}
);
- app.get("/system/local-files", [validatedRequest], async (_, response) => {
- try {
- const localFiles = await viewLocalFiles();
- response.status(200).json({ localFiles });
- } catch (e) {
- console.log(e.message, e);
- response.sendStatus(500).end();
+ app.get(
+ "/system/local-files",
+ [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
+ async (_, response) => {
+ try {
+ const localFiles = await viewLocalFiles();
+ response.status(200).json({ localFiles });
+ } catch (e) {
+ console.log(e.message, e);
+ response.sendStatus(500).end();
+ }
}
- });
+ );
app.get(
"/system/document-processing-status",
--
GitLab