make eventlog routes owner only

2020-03-26 18:54:16 -07:00
parent 58d4a3455b
commit 007a8d248d
1 changed files with 7 additions and 1 deletions
--- a/src/server.js
+++ b/src/server.js
@@ -244,7 +244,13 @@ function initializeExpressSync() {
    }, routes.settings.set);

    // email routes
-    router.get('/api/v1/mailserver/:pathname', token, authorizeAdmin, routes.mailserver.proxy);
+    router.get('/api/v1/mailserver/:pathname', token, (req, res, next) => {
+        // some routes are more special than others
+        if (req.params.pathname === 'eventlog' || req.params.pathname === 'clear_eventlog') {
+            return authorizeOwner(req, res, next);
+        }
+        authorizeAdmin(req, res, next);
+    }, routes.mailserver.proxy);

    router.get ('/api/v1/mail/:domain',       token, authorizeAdmin, routes.mail.getDomain);
    router.post('/api/v1/mail',               token, authorizeAdmin, routes.mail.addDomain);