Remove access to other people's user data (#15)

/users now returns an error 403 (either remove it or keep it with access limited to admins). /users/:id now returns an error 403 if the accessed user is a different user from the one logged in. gbv/cocoda#273
gbv · Feb 28, 2019 · a21f502 · a21f502
1 parent 8e6d3d0
commit a21f502
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 23 deletions.
diff --git a/README.md b/README.md
@@ -347,15 +347,15 @@ Returns an object with keys `title` (title of the login-server instance), `env`
 Returns a list of available providers (stripped off sensitive information).
 
 ### GET /users
-Note: This may be removed in the future.
+Currently not available and undecided whether it will be removed.
 
-Returns all users in database. If URL parameter `uri` is given, only users whose identities match one of the URIs are returned. Multiple URIs are separated by `|`.
+<!-- Returns all users in database. If URL parameter `uri` is given, only users whose identities match one of the URIs are returned. Multiple URIs are separated by `|`. -->
 
 ### GET /currentUser
 Returns the currently logged in user. Returns an 404 error when no user is logged in.
 
 ### GET /users/:id
-Returns a specific user.
+Returns a specific user. Currently restricted to one's own user ID.
 
 ### PATCH /users/:id
 Adjusts a specific user. Can only be used if the same user is currently logged in. Allowed properties to change: `name` (everything else will be ignored).

diff --git a/routes/user.js b/routes/user.js
@@ -10,31 +10,36 @@ const events = require("../lib/events")
 module.exports = app => {
 
   app.get("/users", (req, res) => {
-    let query = req.query || {}
-    let conditions = []
-    // Search by URI
-    if (query.uri) {
-      let uris = query.uri.split("|")
-      for (let uri of uris) {
-        conditions.push({ uri })
-        conditions.push({ merged: uri })
-        for (let provider of config.providers) {
-          conditions.push({ [`identities.${provider.id}.uri`]: uri })
-        }
-      }
-    }
-    User.find(conditions.length ? { $or: conditions } : {}).then(users => {
-      res.json(users)
-    }).catch(error => {
-      console.log(error.message)
-      res.status(500).json({ status: 500, message: "Could not retrieve users." })
-    })
+    res.status(403).json({ status: 403, message: "Unauthorized access to user list." })
+    // let query = req.query || {}
+    // let conditions = []
+    // // Search by URI
+    // if (query.uri) {
+    //   let uris = query.uri.split("|")
+    //   for (let uri of uris) {
+    //     conditions.push({ uri })
+    //     conditions.push({ merged: uri })
+    //     for (let provider of config.providers) {
+    //       conditions.push({ [`identities.${provider.id}.uri`]: uri })
+    //     }
+    //   }
+    // }
+    // User.find(conditions.length ? { $or: conditions } : {}).then(users => {
+    //   res.json(users)
+    // }).catch(error => {
+    //   console.log(error.message)
+    //   res.status(500).json({ status: 500, message: "Could not retrieve users." })
+    // })
   })
 
   app.get("/users/:id", (req, res) => {
     User.findById(req.params.id).then(user => {
       if (user) {
-        res.json(user)
+        if (req.user && req.user.id == user.id) {
+          res.json(user)
+        } else {
+          res.status(403).json({ status: 403, message: "Unauthorized access to user data." })
+        }
       } else {
         let uri = `${config.baseUrl}/users/${req.params.id}`
         User.findOne({ merged: uri }).then(user => {