github/directus
1
0
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-01-23 12:48:10 -05:00
Code Issues Packages Projects Releases Wiki Activity

Prevent direct(us_) access through /items

Browse Source
This commit is contained in:
rijkvanzanten
2021-02-26 17:30:51 -05:00
parent 09a4b673eb
commit ba4810bac3
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
api/src/controllers/items.ts
View File

@@ -14,6 +14,8 @@ router.post(
'/:collection',
collectionExists,
asyncHandler(async (req, res, next) => {
if (req.params.collection.startsWith('directus_')) throw new ForbiddenException();
if (req.singleton) {
throw new RouteNotFoundException(req.path);
}
@@ -22,6 +24,7 @@ router.post(
accountability: req.accountability,
schema: req.schema,
});
const primaryKey = await service.create(req.body);
try {
@@ -44,6 +47,8 @@ router.get(
'/:collection',
collectionExists,
asyncHandler(async (req, res, next) => {
if (req.params.collection.startsWith('directus_')) throw new ForbiddenException();
const service = new ItemsService(req.collection, {
accountability: req.accountability,
schema: req.schema,
@@ -74,6 +79,8 @@ router.get(
'/:collection/:pk',
collectionExists,
asyncHandler(async (req, res, next) => {
if (req.params.collection.startsWith('directus_')) throw new ForbiddenException();
if (req.singleton) {
throw new RouteNotFoundException(req.path);
}
@@ -97,6 +104,8 @@ router.patch(
'/:collection',
collectionExists,
asyncHandler(async (req, res, next) => {
if (req.params.collection.startsWith('directus_')) throw new ForbiddenException();
const service = new ItemsService(req.collection, {
accountability: req.accountability,
schema: req.schema,
@@ -160,6 +169,8 @@ router.patch(
'/:collection/:pk',
collectionExists,
asyncHandler(async (req, res, next) => {
if (req.params.collection.startsWith('directus_')) throw new ForbiddenException();
if (req.singleton) {
throw new RouteNotFoundException(req.path);
}
@@ -192,6 +203,8 @@ router.delete(
'/:collection',
collectionExists,
asyncHandler(async (req, res, next) => {
if (req.params.collection.startsWith('directus_')) throw new ForbiddenException();
if (!req.body || Array.isArray(req.body) === false) {
throw new InvalidPayloadException(`Body has to be an array of primary keys`);
}
@@ -210,6 +223,8 @@ router.delete(
'/:collection/:pk',
collectionExists,
asyncHandler(async (req, res, next) => {
if (req.params.collection.startsWith('directus_')) throw new ForbiddenException();
const service = new ItemsService(req.collection, {
accountability: req.accountability,
schema: req.schema,