jazzymc/homarr
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(security): missing authorization check for changes to notebook widget (#2832)

Browse Source
This commit is contained in:
Meier Lukas
2025-04-09 15:24:37 +02:00
committed by GitHub
parent 092c95bbe0
commit 3948f7f9a4
2 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
packages/api/src/router/widgets/notebook.ts
View File

@@ -3,9 +3,10 @@ import SuperJSON from "superjson";
import { z } from "zod";
import { eq } from "@homarr/db";
import { items } from "@homarr/db/schema";
import { boards, items } from "@homarr/db/schema";
import { createTRPCRouter, protectedProcedure } from "../../trpc";
import { throwIfActionForbiddenAsync } from "../board/board-access";
export const notebookRouter = createTRPCRouter({
updateContent: protectedProcedure
@@ -17,6 +18,8 @@ export const notebookRouter = createTRPCRouter({
}),
)
.mutation(async ({ ctx, input }) => {
await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.boardId), "modify");
const item = await ctx.db.query.items.findFirst({
where: eq(items.id, input.itemId),
});