jazzymc/homarr
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix: issues found in security audit (#1668)

Browse Source
This commit is contained in:
Meier Lukas
2024-12-15 21:16:42 +01:00
committed by GitHub
parent 032509e462
commit 922101dcbd
15 changed files with 70 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
apps/nextjs/src/app/[locale]/boards/[name]/settings/page.tsx
View File

@@ -66,9 +66,13 @@ const getBoardAndPermissionsAsync = async (params: Props["params"]) => {
export default async function BoardSettingsPage({ params, searchParams }: Props) {
const { board, permissions } = await getBoardAndPermissionsAsync(params);
const boardSettings = await getServerSettingByKeyAsync(db, "board");
const { hasFullAccess } = await getBoardPermissionsAsync(board);
const { hasFullAccess, hasChangeAccess } = await getBoardPermissionsAsync(board);
const t = await getScopedI18n("board.setting");
if (!hasChangeAccess) {
notFound();
}
return (
<Container>
<Stack>

8
apps/nextjs/src/app/[locale]/manage/settings/page.tsx
View File

@@ -1,6 +1,8 @@
import { notFound } from "next/navigation";
import { Stack, Title } from "@mantine/core";
import { api } from "@homarr/api/server";
import { auth } from "@homarr/auth/next";
import { getScopedI18n } from "@homarr/translation/server";
import { CrawlingAndIndexingSettings } from "~/app/[locale]/manage/settings/_components/crawling-and-indexing.settings";
@@ -20,6 +22,12 @@ export async function generateMetadata() {
}
export default async function SettingsPage() {
const session = await auth();
if (!session?.user.permissions.includes("admin")) {
notFound();
}
const serverSettings = await api.serverSettings.getAll();
const tSettings = await getScopedI18n("management.page.settings");
return (

8
apps/nextjs/src/app/[locale]/manage/users/groups/[id]/members/page.tsx
View File

@@ -1,10 +1,12 @@
import Link from "next/link";
import { notFound } from "next/navigation";
import { Alert, Anchor, Center, Group, Stack, Table, TableTbody, TableTd, TableTr, Text, Title } from "@mantine/core";
import { IconExclamationCircle } from "@tabler/icons-react";
import type { RouterOutputs } from "@homarr/api";
import { api } from "@homarr/api/server";
import { env } from "@homarr/auth/env.mjs";
import { auth } from "@homarr/auth/next";
import { isProviderEnabled } from "@homarr/auth/server";
import { everyoneGroup } from "@homarr/definitions";
import { getI18n, getScopedI18n } from "@homarr/translation/server";
@@ -24,6 +26,12 @@ interface GroupsDetailPageProps {
}
export default async function GroupsDetailPage({ params, searchParams }: GroupsDetailPageProps) {
const session = await auth();
if (!session?.user.permissions.includes("admin")) {
notFound();
}
const t = await getI18n();
const tMembers = await getScopedI18n("management.page.group.setting.members");
const group = await api.group.getById({ id: params.id });

8
apps/nextjs/src/app/[locale]/manage/users/groups/[id]/page.tsx
View File

@@ -1,6 +1,8 @@
import { notFound } from "next/navigation";
import { Card, Group, Stack, Text, Title } from "@mantine/core";
import { api } from "@homarr/api/server";
import { auth } from "@homarr/auth/next";
import { everyoneGroup } from "@homarr/definitions";
import { getScopedI18n } from "@homarr/translation/server";
import { UserAvatar } from "@homarr/ui";
@@ -18,6 +20,12 @@ interface GroupsDetailPageProps {
}
export default async function GroupsDetailPage({ params }: GroupsDetailPageProps) {
const session = await auth();
if (!session?.user.permissions.includes("admin")) {
notFound();
}
const group = await api.group.getById({ id: params.id });
const tGeneral = await getScopedI18n("management.page.group.setting.general");
const tGroupAction = await getScopedI18n("group.action");

8
apps/nextjs/src/app/[locale]/manage/users/groups/[id]/permissions/page.tsx
View File

@@ -1,7 +1,9 @@
import React from "react";
import { notFound } from "next/navigation";
import { Card, CardSection, Divider, Group, Stack, Text, Title } from "@mantine/core";
import { api } from "@homarr/api/server";
import { auth } from "@homarr/auth/next";
import { objectKeys } from "@homarr/common";
import type { GroupPermissionKey } from "@homarr/definitions";
import { groupPermissions } from "@homarr/definitions";
@@ -16,6 +18,12 @@ interface GroupPermissionsPageProps {
}
export default async function GroupPermissionsPage({ params }: GroupPermissionsPageProps) {
const session = await auth();
if (!session?.user.permissions.includes("admin")) {
notFound();
}
const group = await api.group.getById({ id: params.id });
const tPermissions = await getScopedI18n("group.permission");
const t = await getI18n();