StarMC/Astral-nook
StarMC/Astral-nook
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[Security] Don't return all servers on the system when not a root admin and admin level servers are requested

Browse source 
Cleaned up the API endpoint by simplifying the logic and adds test case to cover this bug.

If you ever need to list _all_ of the servers on the system you should be using the application API endpoint for the servers most likely.
This commit is contained in:
Dane Everitt 2020-07-26 10:43:46 -07:00
parent 24db6d9128
commit f0ac0725b6
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
6 changed files with 84 additions and 88 deletions
Download patch file Download diff file Expand all files Collapse all files

6
resources/scripts/api/getServers.ts
View file

@ -4,14 +4,14 @@ import http, { getPaginationSet, PaginatedResult } from '@/api/http';
interface QueryParams {
query?: string;
page?: number;
includeAdmin?: boolean;
onlyAdmin?: boolean;
}
export default ({ query, page = 1, includeAdmin = false }: QueryParams): Promise<PaginatedResult<Server>> => {
export default ({ query, page = 1, onlyAdmin = false }: QueryParams): Promise<PaginatedResult<Server>> => {
return new Promise((resolve, reject) => {
http.get('/api/client', {
params: {
type: includeAdmin ? 'all' : undefined,
type: onlyAdmin ? 'admin' : undefined,
'filter[name]': query,
page,
},