fix(security): restrict publish-presentation routes to project owners
Build and Deploy Verso / deploy (push) Successful in 10m54s
Build and Deploy Verso / deploy (push) Successful in 10m54s
Read-only collaborators and token-link users could publish, unpublish, and rotate presentation share tokens. Change all three write endpoints from ensureUserCanReadProject to ensureUserCanAdminProject so only the project owner can perform these actions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
claude
@@ -695,17 +695,17 @@ async function initialize(webRouter, privateApiRouter, publicApiRouter) {
|
|||||||
)
|
)
|
||||||
webRouter.post(
|
webRouter.post(
|
||||||
'/project/:Project_id/publish-presentation',
|
'/project/:Project_id/publish-presentation',
|
||||||
AuthorizationMiddleware.ensureUserCanReadProject,
|
AuthorizationMiddleware.ensureUserCanAdminProject,
|
||||||
PublishedPresentationController.publish
|
PublishedPresentationController.publish
|
||||||
)
|
)
|
||||||
webRouter.post(
|
webRouter.post(
|
||||||
'/project/:Project_id/publish-presentation/regenerate',
|
'/project/:Project_id/publish-presentation/regenerate',
|
||||||
AuthorizationMiddleware.ensureUserCanReadProject,
|
AuthorizationMiddleware.ensureUserCanAdminProject,
|
||||||
PublishedPresentationController.regenerate
|
PublishedPresentationController.regenerate
|
||||||
)
|
)
|
||||||
webRouter.delete(
|
webRouter.delete(
|
||||||
'/project/:Project_id/publish-presentation',
|
'/project/:Project_id/publish-presentation',
|
||||||
AuthorizationMiddleware.ensureUserCanReadProject,
|
AuthorizationMiddleware.ensureUserCanAdminProject,
|
||||||
PublishedPresentationController.unpublish
|
PublishedPresentationController.unpublish
|
||||||
)
|
)
|
||||||
// On-demand export of a RevealJS deck (download menu): html | pdf.
|
// On-demand export of a RevealJS deck (download menu): html | pdf.
|
||||||
|
|||||||
Reference in New Issue
Block a user