public-offering
/
pad.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

webaccess: Exempt `/favicon.ico` and `/locales.json` from auth checks

pull/4380/head
Richard Hansen 2020-08-29 20:28:08 -04:00 committed by John McLear
parent 5964055dec
commit 554eef7770
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/node/hooks/express/webaccess.js
View File

@ -11,6 +11,15 @@ const cookieParser = require('cookie-parser');
hooks.deprecationNotices.authFailure = 'use the authnFailure and authzFailure hooks instead'; hooks.deprecationNotices.authFailure = 'use the authnFailure and authzFailure hooks instead';
const staticPathsRE = new RegExp('^/(' + [
'api/.*',
'favicon\\.ico',
'javascripts/.*',
'locales\\.json',
'pluginfw/.*',
'static/.*',
].join('|') + ')$');
exports.normalizeAuthzLevel = (level) => { exports.normalizeAuthzLevel = (level) => {
if (!level) return false; if (!level) return false;
switch (level) { switch (level) {
@ -108,8 +117,7 @@ exports.checkAccess = (req, res, next) => {
httpLogger.error('Error in preAuthorize hook:', err); httpLogger.error('Error in preAuthorize hook:', err);
return res.status(500).send('Internal Server Error'); return res.status(500).send('Internal Server Error');
} }
// Do not require auth for static paths and the API...this could be a bit brittle if (req.path.match(staticPathsRE)) results.push(true);
if (req.path.match(/^\/(static|javascripts|pluginfw|api)/)) results.push(true);
if (requireAdmin) { if (requireAdmin) {
// Filter out all 'true' entries to prevent plugin authors from accidentally granting admin // Filter out all 'true' entries to prevent plugin authors from accidentally granting admin
// privileges to the general public. // privileges to the general public.