fix: inability to access /admin if not superadmin

There was an odd issue where non-superadmins could not use the /admin route to access the ACP, even though they had appropriate access. For whatever reason, it could not be reliably reproduced on my dev. As it turns out, the reason was because I was checking the wrong privilege, and my dev database had this wrong privilege leftover from the initial development of the ACP admin privileges feature. Dumb. Anyhow, that fixes this issue.
4 years ago · 03bd76dea2
parent 29e3ab247d
commit 03bd76dea2
2 changed files with 11 additions and 5 deletions
--- a/src/middleware/admin.js
+++ b/src/middleware/admin.js
@ -117,10 +117,18 @@ module.exports = function (middleware) {

 		// Otherwise, check for privilege based on page (if not in mapping, deny access)
 		const path = req.path.replace(/^(\/api)?\/admin\/?/g, '');
+		if (path) {
 			const privilege = privileges.admin.resolve(path);
 			if (!privilege || !await privileges.admin.can(privilege, req.uid)) {
 				return controllers.helpers.notAllowed(req, res);
 			}
+		} else {
+			// If accessing /admin, check for any valid admin privs
+			const privilegeSet = await privileges.admin.get(req.uid);
+			if (!Object.values(privilegeSet).some(Boolean)) {
+				return controllers.helpers.notAllowed(req, res);
+			}
+		}

 		return next();
 	};
--- a/src/privileges/admin.js
+++ b/src/privileges/admin.js
@ -94,8 +94,6 @@ module.exports = function (privileges) {
 	privileges.admin.resolve = (path) => {
 		if (privileges.admin.routeMap[path]) {
 			return privileges.admin.routeMap[path];
-		} else if (path === '') {
-			return 'manage:dashboard';
 		}

 		let privilege;