jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Do not allow normal users to get group listings or details

Browse Source
This commit is contained in:
Johannes Zellner
2016-02-25 13:34:01 +01:00
parent 7165be0513
commit a0d7406b3c
2 changed files with 38 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/server.js
View File

@@ -110,9 +110,9 @@ function initializeExpressSync() {
router.post('/api/v1/users/:userId/invite', usersScope, routes.user.requireAdmin, routes.user.sendInvite);
// Group management
router.get ('/api/v1/groups', usersScope, routes.groups.list);
router.get ('/api/v1/groups', usersScope, routes.user.requireAdmin, routes.groups.list);
router.post('/api/v1/groups', usersScope, routes.user.requireAdmin, routes.groups.create);
router.get ('/api/v1/groups/:groupId', usersScope, routes.groups.get);
router.get ('/api/v1/groups/:groupId', usersScope, routes.user.requireAdmin, routes.groups.get);
router.del ('/api/v1/groups/:groupId', usersScope, routes.user.requireAdmin, routes.user.verifyPassword, routes.groups.remove);
// form based login routes used by oauth2 frame