UNPKG

@flowfuse/flowfuse

Version:

An open source low-code development platform

flowfuse.com

FlowFuse/flowfuse

78 lines (76 loc) 4.18 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
module.exports = { defaultPreHandler: async (app, request, reply) => { if (request.params.teamId !== undefined || request.params.teamSlug !== undefined) { // The route may provide either :teamId or :teamSlug if (request.params.teamId || request.params.teamSlug) { let teamId = request.params.teamId if (request.params.teamSlug) { // If :teamSlug is provided, need to lookup the team to get // its id for subsequent checks request.team = await app.db.models.Team.bySlug(request.params.teamSlug) if (!request.team) { reply.code(404).send({ code: 'not_found', error: 'Not Found' }) return } teamId = request.team.hashid } try { if (!request.session.User) { // If request.session.User is not defined, this request is being // made with an access token. If it is a project access token, // ensure that project is in this team if (request.session.ownerType === 'project') { // Want this to be as small a query as possible. Sequelize // doesn't make it easy to just get `TeamId` without doing // a join on Team table. const project = await app.db.models.Project.findOne({ where: { id: request.session.ownerId }, include: { model: app.db.models.Team, attributes: ['hashid', 'id'] } }) // Ensure the token's project is in the team being accessed if (project && project.Team.hashid === teamId) { return } } else if (request.session.ownerType === 'device') { // Want this to be as small a query as possible. Sequelize // doesn't make it easy to just get `TeamId` without doing // a join on Team table. const device = await app.db.models.Device.findOne({ where: { id: request.session.ownerId }, include: { model: app.db.models.Team, attributes: ['hashid', 'id'] } }) // Ensure the device is in the team being accessed if (device && device.Team.hashid === teamId) { return } } reply.code(404).send({ code: 'not_found', error: 'Not Found' }) return } request.teamMembership = await request.session.User.getTeamMembership(teamId) if (!request.teamMembership && !request.session.User?.admin) { reply.code(404).send({ code: 'not_found', error: 'Not Found' }) return } if (!request.team) { // For a :teamId route, we can now lookup the full team object request.team = await app.db.models.Team.byId(request.params.teamId) if (!request.team) { reply.code(404).send({ code: 'not_found', error: 'Not Found' }) } } } catch (err) { reply.code(404).send({ code: 'not_found', error: 'Not Found' }) } } else { reply.code(404).send({ code: 'not_found', error: 'Not Found' }) } } } }