From 4bc7c70e2ec9a1e11a50cf97805cd51c046ca5b5 Mon Sep 17 00:00:00 2001
From: Girish Ramakrishnan <girish@cloudron.io>
Date: Thu, 26 Mar 2020 18:54:16 -0700
Subject: [PATCH] make eventlog routes owner only

(cherry picked from commit 007a8d248dcb874cabc50d8fc3cf2522c16b3618)
---
 src/server.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/server.js b/src/server.js
index 3bf50d8f5..39ba631fd 100644
--- a/src/server.js
+++ b/src/server.js
@@ -244,7 +244,13 @@ function initializeExpressSync() {
     }, routes.settings.set);
 
     // email routes
-    router.get('/api/v1/mailserver/:pathname', token, authorizeAdmin, routes.mailserver.proxy);
+    router.get('/api/v1/mailserver/:pathname', token, (req, res, next) => {
+        // some routes are more special than others
+        if (req.params.pathname === 'eventlog' || req.params.pathname === 'clear_eventlog') {
+            return authorizeOwner(req, res, next);
+        }
+        authorizeAdmin(req, res, next);
+    }, routes.mailserver.proxy);
 
     router.get ('/api/v1/mail/:domain',       token, authorizeAdmin, routes.mail.getDomain);
     router.post('/api/v1/mail',               token, authorizeAdmin, routes.mail.addDomain);