fix: inability to access /admin if not superadmin

There was an odd issue where non-superadmins could not use
the /admin route to access the ACP, even though they had
appropriate access. For whatever reason, it could not
be reliably reproduced on my dev. As it turns out, the
reason was because I was checking the wrong privilege,
and my dev database had this wrong privilege leftover
from the initial development of the ACP admin privileges
feature. Dumb.

Anyhow, that fixes this issue.
v1.18.x
Julian Lam 4 years ago
parent 29e3ab247d
commit 03bd76dea2

@ -117,9 +117,17 @@ module.exports = function (middleware) {
// Otherwise, check for privilege based on page (if not in mapping, deny access)
const path = req.path.replace(/^(\/api)?\/admin\/?/g, '');
const privilege = privileges.admin.resolve(path);
if (!privilege || !await privileges.admin.can(privilege, req.uid)) {
return controllers.helpers.notAllowed(req, res);
if (path) {
const privilege = privileges.admin.resolve(path);
if (!privilege || !await privileges.admin.can(privilege, req.uid)) {
return controllers.helpers.notAllowed(req, res);
}
} else {
// If accessing /admin, check for any valid admin privs
const privilegeSet = await privileges.admin.get(req.uid);
if (!Object.values(privilegeSet).some(Boolean)) {
return controllers.helpers.notAllowed(req, res);
}
}
return next();

@ -94,8 +94,6 @@ module.exports = function (privileges) {
privileges.admin.resolve = (path) => {
if (privileges.admin.routeMap[path]) {
return privileges.admin.routeMap[path];
} else if (path === '') {
return 'manage:dashboard';
}
let privilege;

Loading…
Cancel
Save