From 14d3a243a254f60270db9ab0f4ff04c4380a2227 Mon Sep 17 00:00:00 2001 From: Jesse Wierzbinski Date: Sun, 12 May 2024 13:43:58 -1000 Subject: [PATCH] fix(api): :bug: Add safeguards to emoji upload routes --- server/api/api/v1/emojis/:id/index.ts | 6 +++++- server/api/api/v1/emojis/index.ts | 8 ++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/server/api/api/v1/emojis/:id/index.ts b/server/api/api/v1/emojis/:id/index.ts index 173f4701..18fef0d7 100644 --- a/server/api/api/v1/emojis/:id/index.ts +++ b/server/api/api/v1/emojis/:id/index.ts @@ -70,8 +70,12 @@ export default (app: Hono) => const { id } = context.req.valid("param"); const { user } = context.req.valid("header"); + if (!user) { + return errorResponse("Unauthorized", 401); + } + // Check if user is admin - if (!user?.getUser().isAdmin) { + if (!user.getUser().isAdmin) { return jsonResponse( { error: "You do not have permission to modify emojis (must be an administrator)", diff --git a/server/api/api/v1/emojis/index.ts b/server/api/api/v1/emojis/index.ts index 42a2da16..009b85cd 100644 --- a/server/api/api/v1/emojis/index.ts +++ b/server/api/api/v1/emojis/index.ts @@ -7,7 +7,7 @@ import { } from "@api"; import { mimeLookup } from "@content_types"; import { zValidator } from "@hono/zod-validator"; -import { jsonResponse } from "@response"; +import { errorResponse, jsonResponse } from "@response"; import type { Hono } from "hono"; import { z } from "zod"; import { getUrl } from "~database/entities/Attachment"; @@ -62,8 +62,12 @@ export default (app: Hono) => const { shortcode, element, alt } = context.req.valid("form"); const { user } = context.req.valid("header"); + if (!user) { + return errorResponse("Unauthorized", 401); + } + // Check if user is admin - if (!user?.getUser().isAdmin) { + if (!user.getUser().isAdmin) { return jsonResponse( { error: "You do not have permission to add emojis (must be an administrator)",