fix(security): restrict publish-presentation routes to project owners
Build and Deploy Verso / deploy (push) Successful in 10m54s
Build and Deploy Verso / deploy (push) Successful in 10m54s
Read-only collaborators and token-link users could publish, unpublish, and rotate presentation share tokens. Change all three write endpoints from ensureUserCanReadProject to ensureUserCanAdminProject so only the project owner can perform these actions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
claude
@@ -695,17 +695,17 @@ async function initialize(webRouter, privateApiRouter, publicApiRouter) {
|
||||
)
|
||||
webRouter.post(
|
||||
'/project/:Project_id/publish-presentation',
|
||||
AuthorizationMiddleware.ensureUserCanReadProject,
|
||||
AuthorizationMiddleware.ensureUserCanAdminProject,
|
||||
PublishedPresentationController.publish
|
||||
)
|
||||
webRouter.post(
|
||||
'/project/:Project_id/publish-presentation/regenerate',
|
||||
AuthorizationMiddleware.ensureUserCanReadProject,
|
||||
AuthorizationMiddleware.ensureUserCanAdminProject,
|
||||
PublishedPresentationController.regenerate
|
||||
)
|
||||
webRouter.delete(
|
||||
'/project/:Project_id/publish-presentation',
|
||||
AuthorizationMiddleware.ensureUserCanReadProject,
|
||||
AuthorizationMiddleware.ensureUserCanAdminProject,
|
||||
PublishedPresentationController.unpublish
|
||||
)
|
||||
// On-demand export of a RevealJS deck (download menu): html | pdf.
|
||||
|
||||
Reference in New Issue
Block a user