jan/openreplay
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(backend): added projectID check for getUXTest endpoint

Browse source
This commit is contained in:
Alexander 2023-12-01 14:30:10 +01:00
parent 42e0fdb71e
commit 3de478650e
1 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
backend/internal/http/router/handlers-web.go
View file

@ -377,7 +377,7 @@ func (e *Router) getUXTestInfo(w http.ResponseWriter, r *http.Request) {
bodySize := 0
// Check authorization
_, err := e.services.Tokenizer.ParseFromHTTPRequest(r)
sessInfo, err := e.services.Tokenizer.ParseFromHTTPRequest(r)
if err != nil {
ResponseWithError(w, http.StatusUnauthorized, err, startTime, r.URL.Path, bodySize)
return
@ -393,6 +393,15 @@ func (e *Router) getUXTestInfo(w http.ResponseWriter, r *http.Request) {
ResponseWithError(w, http.StatusInternalServerError, err, startTime, r.URL.Path, bodySize)
return
}
sess, err := e.services.Sessions.Get(sessInfo.ID)
if err != nil {
ResponseWithError(w, http.StatusForbidden, err, startTime, r.URL.Path, bodySize)
return
}
if sess.ProjectID != info.ProjectID {
ResponseWithError(w, http.StatusForbidden, errors.New("project mismatch"), startTime, r.URL.Path, bodySize)
return
}
type TaskInfoResponse struct {
Task *uxtesting.UXTestInfo `json:"test"`
}