diff --git a/packages/server/src/middleware/routeHandler.ts b/packages/server/src/middleware/routeHandler.ts index 83a0558cb..126c37a57 100644 --- a/packages/server/src/middleware/routeHandler.ts +++ b/packages/server/src/middleware/routeHandler.ts @@ -16,10 +16,14 @@ export default async function(ctx: AppContext) { let responseObject = null; const routeHandler = match.route.findEndPoint(ctx.request.method as HttpMethod, match.subPath.schema); - responseObject = await routeHandler(match.subPath, ctx); + // This is a generic catch-all for all private end points - if we + // couldn't get a valid session, we exit now. Individual end points + // might have additional permission checks depending on the action. if (!match.route.public && !ctx.owner) throw new ErrorForbidden(); + responseObject = await routeHandler(match.subPath, ctx); + if (responseObject instanceof Response) { ctx.response = responseObject.response; } else if (isView(responseObject)) { diff --git a/packages/server/src/routes/api/files.test.ts b/packages/server/src/routes/api/files.test.ts index 1f01c903a..bece2e5ba 100644 --- a/packages/server/src/routes/api/files.test.ts +++ b/packages/server/src/routes/api/files.test.ts @@ -416,4 +416,9 @@ describe('api_files', function() { expect(page3.items.length).toBe(0); }); + test('should not allow creating file without auth', async function() { + const context = await putFileContentContext('', 'root:/photo.jpg:', testFilePath()); + expect(context.response.status).toBe(ErrorForbidden.httpCode); + }); + }); diff --git a/packages/server/src/utils/testing/apiUtils.ts b/packages/server/src/utils/testing/apiUtils.ts index 0c6bb3c00..0130401c3 100644 --- a/packages/server/src/utils/testing/apiUtils.ts +++ b/packages/server/src/utils/testing/apiUtils.ts @@ -15,7 +15,7 @@ import { AppContext } from '../types'; import { koaAppContext } from './testUtils'; export function checkContextError(context: AppContext) { - if (context.response.status >= 400) throw new Error(`Cannot create directory: ${JSON.stringify(context.response)}`); + if (context.response.status >= 400) throw new Error(JSON.stringify(context.response)); } export async function getFileMetadataContext(sessionId: string, path: string): Promise {