github/directus
1
1
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-04-25 03:00:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

Only return fields you're allowed to read

Browse Source
This commit is contained in:
rijkvanzanten
2020-08-28 16:12:32 -04:00
parent baaaa50049
commit 336cd65646
2 changed files with 53 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
api/src/controllers/fields.ts
View File

@@ -3,7 +3,7 @@ import asyncHandler from 'express-async-handler';
import FieldsService from '../services/fields';
import validateCollection from '../middleware/collection-exists';
import { schemaInspector } from '../database';
import { FieldNotFoundException, InvalidPayloadException } from '../exceptions';
import { FieldNotFoundException, InvalidPayloadException, ForbiddenException } from '../exceptions';
import Joi from 'joi';
import { Field } from '../types/field';
import useCollection from '../middleware/use-collection';
@@ -48,7 +48,7 @@ router.get(
const service = new FieldsService({ accountability: req.accountability });
const exists = await schemaInspector.hasColumn(req.collection, req.params.field);
if (exists === false) throw new FieldNotFoundException(req.collection, req.params.field);
if (exists === false) throw new ForbiddenException();
const field = await service.readOne(req.params.collection, req.params.field);
return res.json({ data: field || null });
@@ -122,8 +122,10 @@ router.patch(
useCollection('directus_fields'),
// @todo: validate field
asyncHandler(async (req, res) => {
const service = new FieldsService({ accountability: req.accountability });
const exists = await schemaInspector.hasColumn(req.collection, req.params.field);
if (exists === false) throw new ForbiddenException();
const service = new FieldsService({ accountability: req.accountability });
const fieldData: Partial<Field> & { field: string; type: typeof types[number] } = req.body;
if (!fieldData.field) fieldData.field = req.params.field;
@@ -141,6 +143,9 @@ router.delete(
validateCollection,
useCollection('directus_fields'),
asyncHandler(async (req, res) => {
const exists = await schemaInspector.hasColumn(req.collection, req.params.field);
if (exists === false) throw new ForbiddenException();
const service = new FieldsService({ accountability: req.accountability });
await service.deleteField(req.params.collection, req.params.field, req.accountability);