intrn(validator): deny completely if there are no permissions passed

lemredd · Sep 11, 2022 · 77523b9 · 77523b9
1 parent fb93e58
commit 77523b9
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/server/validators/manager/does_belong_to_user.ts b/server/validators/manager/does_belong_to_user.ts
@@ -25,7 +25,7 @@ export default async function(
 
 	if (state.maySkip) return state
 
-	if (isUndefined(constraints.manager) || isUndefined(constraints.doesBelongToUser)) {
+	if (isUndefined(constraints.manager)) {
 		throw makeDeveloperError(constraints.field)
 	}
 
@@ -59,6 +59,24 @@ export default async function(
 
 	if (doesBelong) return state
 
+	if (isUndefined(constraints.doesBelongToUser)) {
+		const error = {
+			"field": constraints.field,
+			"friendlyName": constraints.friendlyName,
+			"messageMaker": (
+				field: string,
+				value: string
+			) => {
+				const subject = `The "${field}" with a value of "${value}"`
+				const predicate = "can only be processed for the current user"
+
+				return `${subject} ${predicate}`
+			}
+		}
+
+		throw error
+	}
+
 	const { permissionGroup, anyPermissionCombinationForBypass } = constraints.doesBelongToUser
 	const roles = userProfile.data.roles.data
 	const isPermitted = permissionGroup.hasOneRoleAllowed(roles, anyPermissionCombinationForBypass)