fix(security): signing in public folders

KernelDeimos · KernelDeimos · commit 937528f7676e · 2024-08-22T23:48:30.000-04:00
diff --git a/src/backend/src/routers/file.js b/src/backend/src/routers/file.js
@@ -39,6 +39,12 @@ router.get('/file', async (req, res, next)=>{
         console.log(e)
         return res.status(403).send(e);
     }
+    
+    let can_write = false;
+    try{
+        validate_signature_auth(get_url_from_req(req), 'write');
+        can_write = true;
+    }catch(e){}
 
     const log = req.services.get('log-service').create('/file');
     const errors = req.services.get('error-service').create(log);
@@ -80,7 +86,8 @@ router.get('/file', async (req, res, next)=>{
         if(children.length>0){
             for(const child of children){
                 // sign file
-                const signed_child = await sign_file(child, 'write');
+                const signed_child = await sign_file(child,
+                    can_write ? 'write' : 'read');
                 signed_children.push(signed_child);
             }
         }
diff --git a/src/backend/src/routers/open_item.js b/src/backend/src/routers/open_item.js
@@ -54,11 +54,16 @@ module.exports = eggspress('/open_item', {
     }
 
     const svc_acl = Context.get('services').get('acl');
-    if ( ! await svc_acl.check(actor, subject, 'see') ) {
-        throw await svc_acl.get_safe_acl_error(actor, subject, 'see');
+    if ( ! await svc_acl.check(actor, subject, 'read') ) {
+        throw await svc_acl.get_safe_acl_error(actor, subject, 'read');
+    }
+    
+    let action = 'write';
+    if ( ! await svc_acl.check(actor, subject, 'write') ) {
+        action = 'read';
     }
 
-    const signature = await sign_file(subject.entry, 'write');
+    const signature = await sign_file(subject.entry, action);
     const suggested_apps = await suggest_app_for_fsentry(subject.entry);
     console.log('suggested apps?', suggested_apps);
     const apps_only_one = suggested_apps.slice(0,1);
diff --git a/src/backend/src/routers/sign.js b/src/backend/src/routers/sign.js
@@ -111,8 +111,14 @@ module.exports = eggspress('/sign', {
         }
 
         const svc_acl = Context.get('services').get('acl');
-        if ( ! await svc_acl.check(actor, node, 'see') ) {
-            throw await svc_acl.get_safe_acl_error(actor, node, 'see');
+        if ( ! await svc_acl.check(actor, node, 'read') ) {
+            throw await svc_acl.get_safe_acl_error(actor, node, 'read');
+        }
+        
+        if ( item.action === 'write' ) {
+            if ( ! await svc_acl.check(actor, node, 'write') ) {
+                throw await svc_acl.get_safe_acl_error(actor, node, 'write');
+            }
         }
 
         if ( app !== null ) {
