jazzymc/homarr
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(security): missing authorization check for changes to notebook widget (#2832)

Browse Source
This commit is contained in:
Meier Lukas
2025-04-09 15:24:37 +02:00
committed by GitHub
parent 092c95bbe0
commit 3948f7f9a4
2 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
packages/api/src/router/widgets/notebook.ts
View File

@@ -3,9 +3,10 @@ import SuperJSON from "superjson";
import { z } from "zod";
import { eq } from "@homarr/db";
import { items } from "@homarr/db/schema";
import { boards, items } from "@homarr/db/schema";
import { createTRPCRouter, protectedProcedure } from "../../trpc";
import { throwIfActionForbiddenAsync } from "../board/board-access";
export const notebookRouter = createTRPCRouter({
updateContent: protectedProcedure
@@ -17,6 +18,8 @@ export const notebookRouter = createTRPCRouter({
}),
)
.mutation(async ({ ctx, input }) => {
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.boardId), "modify");
const item = await ctx.db.query.items.findFirst({
where: eq(items.id, input.itemId),
});

11
packages/widgets/src/notebook/notebook.tsx
View File

@@ -67,6 +67,10 @@ import type { WidgetComponentProps } from "../definition";
import "./notebook.css";
import { useSession } from "@homarr/auth/client";
import { constructBoardPermissions } from "@homarr/auth/shared";
import { useRequiredBoard } from "@homarr/boards/context";
const iconProps = {
size: 30,
stroke: 1.5,
@@ -81,8 +85,11 @@ export function Notebook({ options, isEditMode, boardId, itemId }: WidgetCompone
const [content, setContent] = useState(options.content);
const [toSaveContent, setToSaveContent] = useState(content);
// TODO: Add check for user permissions
const enabled = !isEditMode;
const board = useRequiredBoard();
const { data: session } = useSession();
const { hasChangeAccess } = constructBoardPermissions(board, session);
const enabled = !isEditMode && hasChangeAccess;
const [isEditing, setIsEditing] = useState(false);
const { primaryColor } = useMantineTheme();