From 03bd76dea2c8214148211e28238c91947d3df143 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Fri, 21 Aug 2020 15:00:44 -0400 Subject: [PATCH] fix: inability to access /admin if not superadmin There was an odd issue where non-superadmins could not use the /admin route to access the ACP, even though they had appropriate access. For whatever reason, it could not be reliably reproduced on my dev. As it turns out, the reason was because I was checking the wrong privilege, and my dev database had this wrong privilege leftover from the initial development of the ACP admin privileges feature. Dumb. Anyhow, that fixes this issue. --- src/middleware/admin.js | 14 +++++++++++--- src/privileges/admin.js | 2 -- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/src/middleware/admin.js b/src/middleware/admin.js index b563dc1daafa..7a9fd9411e25 100644 --- a/src/middleware/admin.js +++ b/src/middleware/admin.js @@ -117,9 +117,17 @@ module.exports = function (middleware) { // Otherwise, check for privilege based on page (if not in mapping, deny access) const path = req.path.replace(/^(\/api)?\/admin\/?/g, ''); - const privilege = privileges.admin.resolve(path); - if (!privilege || !await privileges.admin.can(privilege, req.uid)) { - return controllers.helpers.notAllowed(req, res); + if (path) { + const privilege = privileges.admin.resolve(path); + if (!privilege || !await privileges.admin.can(privilege, req.uid)) { + return controllers.helpers.notAllowed(req, res); + } + } else { + // If accessing /admin, check for any valid admin privs + const privilegeSet = await privileges.admin.get(req.uid); + if (!Object.values(privilegeSet).some(Boolean)) { + return controllers.helpers.notAllowed(req, res); + } } return next(); diff --git a/src/privileges/admin.js b/src/privileges/admin.js index 3e38a0f6afe7..a242405ec0b0 100644 --- a/src/privileges/admin.js +++ b/src/privileges/admin.js @@ -94,8 +94,6 @@ module.exports = function (privileges) { privileges.admin.resolve = (path) => { if (privileges.admin.routeMap[path]) { return privileges.admin.routeMap[path]; - } else if (path === '') { - return 'manage:dashboard'; } let privilege;