self-hosted/focalboard
1
0
Fork 0
mirror of https://github.com/mattermost/focalboard.git synced 2025-07-03 23:30:29 +02:00
Code Issues Releases Activity

Allow GetSubTree without auth. WIP

Browse Source
This commit is contained in:
Chen-I Lim
2021-01-12 18:49:08 -08:00
parent 2dab4f56fd
commit 61fb38d418
6 changed files with 62 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
server/api/api.go
View File

@ -37,7 +37,7 @@ func (a *API) RegisterRoutes(r *mux.Router) {
r.HandleFunc("/api/v1/blocks", a.sessionRequired(a.handleGetBlocks)).Methods("GET") r.HandleFunc("/api/v1/blocks", a.sessionRequired(a.handleGetBlocks)).Methods("GET")
r.HandleFunc("/api/v1/blocks", a.sessionRequired(a.handlePostBlocks)).Methods("POST") r.HandleFunc("/api/v1/blocks", a.sessionRequired(a.handlePostBlocks)).Methods("POST")
r.HandleFunc("/api/v1/blocks/{blockID}", a.sessionRequired(a.handleDeleteBlock)).Methods("DELETE") r.HandleFunc("/api/v1/blocks/{blockID}", a.sessionRequired(a.handleDeleteBlock)).Methods("DELETE")
r.HandleFunc("/api/v1/blocks/{blockID}/subtree", a.sessionRequired(a.handleGetSubTree)).Methods("GET") r.HandleFunc("/api/v1/blocks/{blockID}/subtree", a.attachSession(a.handleGetSubTree, false)).Methods("GET")
r.HandleFunc("/api/v1/users/me", a.sessionRequired(a.handleGetMe)).Methods("GET") r.HandleFunc("/api/v1/users/me", a.sessionRequired(a.handleGetMe)).Methods("GET")
r.HandleFunc("/api/v1/users/{userID}", a.sessionRequired(a.handleGetUser)).Methods("GET") r.HandleFunc("/api/v1/users/{userID}", a.sessionRequired(a.handleGetUser)).Methods("GET")
@ -242,6 +242,32 @@ func (a *API) handleGetSubTree(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r) vars := mux.Vars(r)
blockID := vars["blockID"] blockID := vars["blockID"]
// If not authenticated (no session), check that block is publicly shared
ctx := r.Context()
session, _ := ctx.Value("session").(*model.Session)
if session == nil {
rootID, err := a.app().GetRootID(blockID)
if err != nil {
log.Printf(`ERROR GetRootID %v: %v, REQUEST: %v`, blockID, err, r)
errorResponse(w, http.StatusInternalServerError, nil)
return
}
sharing, err := a.app().GetSharing(rootID)
if err != nil {
log.Printf(`ERROR GetSharing %v: %v, REQUEST: %v`, rootID, err, r)
errorResponse(w, http.StatusInternalServerError, nil)
return
}
// TODO: Check token
if sharing == nil || !(sharing.ID == rootID && sharing.Enabled) {
log.Printf(`handleGetSubTree public unauthorized, rootID: %v`, rootID)
errorResponse(w, http.StatusUnauthorized, nil)
return
}
}
query := r.URL.Query() query := r.URL.Query()
levels, err := strconv.ParseInt(query.Get("l"), 10, 32) levels, err := strconv.ParseInt(query.Get("l"), 10, 32)
if err != nil { if err != nil {
@ -252,7 +278,6 @@ func (a *API) handleGetSubTree(w http.ResponseWriter, r *http.Request) {
log.Printf(`ERROR Invalid levels: %d`, levels) log.Printf(`ERROR Invalid levels: %d`, levels)
errorData := map[string]string{"description": "invalid levels"} errorData := map[string]string{"description": "invalid levels"}
errorResponse(w, http.StatusInternalServerError, errorData) errorResponse(w, http.StatusInternalServerError, errorData)
return return
} }
@ -260,7 +285,6 @@ func (a *API) handleGetSubTree(w http.ResponseWriter, r *http.Request) {
if err != nil { if err != nil {
log.Printf(`ERROR: %v, REQUEST: %v`, err, r) log.Printf(`ERROR: %v, REQUEST: %v`, err, r)
errorResponse(w, http.StatusInternalServerError, nil) errorResponse(w, http.StatusInternalServerError, nil)
return return
} }
@ -269,7 +293,6 @@ func (a *API) handleGetSubTree(w http.ResponseWriter, r *http.Request) {
if err != nil { if err != nil {
log.Printf(`ERROR json.Marshal: %v, REQUEST: %v`, err, r) log.Printf(`ERROR json.Marshal: %v, REQUEST: %v`, err, r)
errorResponse(w, http.StatusInternalServerError, nil) errorResponse(w, http.StatusInternalServerError, nil)
return return
} }

11
server/api/auth.go
View File

@ -110,6 +110,10 @@ func (a *API) handleRegister(w http.ResponseWriter, r *http.Request) {
} }
func (a *API) sessionRequired(handler func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) { func (a *API) sessionRequired(handler func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
return a.attachSession(handler, true)
}
func (a *API) attachSession(handler func(w http.ResponseWriter, r *http.Request), required bool) func(w http.ResponseWriter, r *http.Request) {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
log.Printf(`Single User: %v`, a.singleUser) log.Printf(`Single User: %v`, a.singleUser)
if a.singleUser { if a.singleUser {
@ -129,7 +133,12 @@ func (a *API) sessionRequired(handler func(w http.ResponseWriter, r *http.Reques
token, _ := auth.ParseAuthTokenFromRequest(r) token, _ := auth.ParseAuthTokenFromRequest(r)
session, err := a.app().GetSession(token) session, err := a.app().GetSession(token)
if err != nil { if err != nil {
errorResponse(w, http.StatusUnauthorized, map[string]string{"error": err.Error()}) if required {
errorResponse(w, http.StatusUnauthorized, map[string]string{"error": err.Error()})
return
}
handler(w, r)
return return
} }
ctx := context.WithValue(r.Context(), "session", session) ctx := context.WithValue(r.Context(), "session", session)

4
server/app/blocks.go
View File

@ -16,6 +16,10 @@ func (a *App) GetBlocks(parentID string, blockType string) ([]model.Block, error
return a.store.GetBlocksWithParent(parentID) return a.store.GetBlocksWithParent(parentID)
} }
func (a *App) GetRootID(blockID string) (string, error) {
return a.store.GetRootID(blockID)
}
func (a *App) GetParentID(blockID string) (string, error) { func (a *App) GetParentID(blockID string) (string, error) {
return a.store.GetParentID(blockID) return a.store.GetParentID(blockID)
} }

17
server/services/store/sqlstore/blocks.go
View File

@ -262,6 +262,23 @@ func blocksFromRows(rows *sql.Rows) ([]model.Block, error) {
return results, nil return results, nil
} }
func (s *SQLStore) GetRootID(blockID string) (string, error) {
query := s.getQueryBuilder().Select("root_id").
FromSelect(s.latestsBlocksSubquery(), "latest").
Where(sq.Eq{"id": blockID})
row := query.QueryRow()
var rootID string
err := row.Scan(&rootID)
if err != nil {
return "", err
}
return rootID, nil
}
func (s *SQLStore) GetParentID(blockID string) (string, error) { func (s *SQLStore) GetParentID(blockID string) (string, error) {
query := s.getQueryBuilder().Select("parent_id"). query := s.getQueryBuilder().Select("parent_id").
FromSelect(s.latestsBlocksSubquery(), "latest"). FromSelect(s.latestsBlocksSubquery(), "latest").

1
server/services/store/store.go
View File

@ -11,6 +11,7 @@ type Store interface {
GetSubTree2(blockID string) ([]model.Block, error) GetSubTree2(blockID string) ([]model.Block, error)
GetSubTree3(blockID string) ([]model.Block, error) GetSubTree3(blockID string) ([]model.Block, error)
GetAllBlocks() ([]model.Block, error) GetAllBlocks() ([]model.Block, error)
GetRootID(blockID string) (string, error)
GetParentID(blockID string) (string, error) GetParentID(blockID string) (string, error)
InsertBlock(block model.Block) error InsertBlock(block model.Block) error
DeleteBlock(blockID string, modifiedBy string) error DeleteBlock(blockID string, modifiedBy string) error

3
webapp/src/octoClient.ts
View File

@ -113,6 +113,9 @@ class OctoClient {
private async getBlocksWithPath(path: string): Promise<IBlock[]> { private async getBlocksWithPath(path: string): Promise<IBlock[]> {
const response = await fetch(this.serverUrl + path, {headers: this.headers()}) const response = await fetch(this.serverUrl + path, {headers: this.headers()})
if (response.status !== 200) {
return []
}
const blocks = (await response.json() || []) as IMutableBlock[] const blocks = (await response.json() || []) as IMutableBlock[]
this.fixBlocks(blocks) this.fixBlocks(blocks)
return blocks return blocks