self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2025-09-16 08:56:40 +02:00
Code Issues Releases Activity

Server: Disable logs and items pages for end-user

Browse Source 
These pages don't provide very useful information, even possibly
confusing and could probably be used to DoS the server since the
associated requests are not optimised.
This commit is contained in:
Laurent Cozic
2021-12-16 11:18:35 +01:00
parent aa42cebbca
commit 83a46e563d
3 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/server/src/routes/index/changes.ts
View File

@@ -9,10 +9,13 @@ import defaultView from '../../utils/defaultView';
import { View } from '../../services/MustacheService';
import { makeTablePagination, Table, Row, makeTableView } from '../../utils/views/table';
import config, { showItemUrls } from '../../config';
import { ErrorForbidden } from '../../utils/errors';
const router = new Router(RouteType.Web);
router.get('changes', async (_path: SubPath, ctx: AppContext) => {
if (!ctx.joplin.owner.is_admin) throw new ErrorForbidden();
const pagination = makeTablePagination(ctx.query, 'updated_time', PaginationOrderDir.DESC);
const paginatedChanges = await ctx.joplin.models.change().allByUser(ctx.joplin.owner.id, pagination);
const items = await ctx.joplin.models.item().loadByIds(paginatedChanges.items.map(i => i.item_id), { fields: ['id'] });

4
packages/server/src/routes/index/items.ts
View File

@@ -2,7 +2,7 @@ import { SubPath, respondWithItemContent } from '../../utils/routeUtils';
import Router from '../../utils/Router';
import { RouteType } from '../../utils/types';
import { AppContext } from '../../utils/types';
import { ErrorNotFound } from '../../utils/errors';
import { ErrorForbidden, ErrorNotFound } from '../../utils/errors';
import config, { showItemUrls } from '../../config';
import { formatDateTime } from '../../utils/time';
import defaultView from '../../utils/defaultView';
@@ -14,6 +14,8 @@ import { formatBytes } from '../../utils/bytes';
const router = new Router(RouteType.Web);
router.get('items', async (_path: SubPath, ctx: AppContext) => {
if (!ctx.joplin.owner.is_admin) throw new ErrorForbidden();
const pagination = makeTablePagination(ctx.query, 'name', PaginationOrderDir.ASC);
const paginatedItems = await ctx.joplin.models.item().children(ctx.joplin.owner.id, '', pagination, { fields: ['id', 'name', 'updated_time', 'mime_type', 'content_size'] });

8
packages/server/src/views/partials/navbar.mustache
View File

@@ -14,8 +14,12 @@
{{#global.owner.is_admin}}
<a class="navbar-item" href="{{{global.baseUrl}}}/users">{{s.users}}</a>
{{/global.owner.is_admin}}
<a class="navbar-item" href="{{{global.baseUrl}}}/items">{{s.items}}</a>
<a class="navbar-item" href="{{{global.baseUrl}}}/changes">{{s.log}}</a>
{{#global.owner.is_admin}}
<a class="navbar-item" href="{{{global.baseUrl}}}/items">{{s.items}}</a>
{{/global.owner.is_admin}}
{{#global.owner.is_admin}}
<a class="navbar-item" href="{{{global.baseUrl}}}/changes">{{s.log}}</a>
{{/global.owner.is_admin}}
{{#global.owner.is_admin}}
<a class="navbar-item" href="{{{global.baseUrl}}}/tasks">{{s.tasks}}</a>
{{/global.owner.is_admin}}