Merge pull request #233 from Digipalvelutehdas/hotfix/users-security

frenchbread · web-flow · commit dd11d761c140 · 2017-01-16T22:54:35.000+02:00
Hotfix/users security
diff --git a/about/client/about.html b/about/client/about.html
@@ -28,7 +28,7 @@ <h3>
               Apinf
             </dt>
             <dd>
-              0.38.0
+              0.38.1
             </dd>
             <dt>
               API Umbrella
diff --git a/api_catalog/client/api_catalog.js b/api_catalog/client/api_catalog.js
@@ -2,13 +2,14 @@ import { Meteor } from 'meteor/meteor';
 import { Template } from 'meteor/templating';
 import { Roles } from 'meteor/alanning:roles';
 import { FlowRouter } from 'meteor/kadira:flow-router';
-
 import { Apis } from '/apis/collection';
 import { ApiBookmarks } from '/bookmarks/collection';
+import $ from 'jquery';
 
 Template.apiCatalog.onCreated(function () {
   // Get reference to template instance
   const instance = this;
+
   // Get user id
   const userId = Meteor.userId();
 
@@ -43,8 +44,9 @@ Template.apiCatalog.onCreated(function () {
 
   // Subscribe to API logo collection
   instance.subscribe('allApiLogo');
+
   // Subscribe to all users, returns only usernames
-  instance.subscribe('allUsers');
+  instance.subscribe('allUsersUsernamesOnly');
 
   // Watch for changes in the sort and filter settings
   instance.autorun(() => {
@@ -77,29 +79,33 @@ Template.apiCatalog.onCreated(function () {
     // Filtering available for registered users
     if (userId) {
       switch (filterByParameter) {
-        case 'all':
+        case 'all': {
           // Delete filter for managed apis & bookmarks
           delete currentFilters.managerIds;
           delete currentFilters._id;
           break;
-        case 'my-apis':
+        }
+        case 'my-apis': {
           // Delete filter for bookmarks
           delete currentFilters._id;
           // Set filter for managed apis
           currentFilters.managerIds = userId;
           break;
-        case 'my-bookmarks':
+        }
+        case 'my-bookmarks': {
           // Delete filter for managed apis
           delete currentFilters.managerIds;
           // Get user bookmarks
           const userBookmarks = ApiBookmarks.findOne({ userId }) || '';
           // Set filter for bookmarks
           currentFilters._id = { $in: userBookmarks.apiIds };
           break;
-        default:
+        }
+        default: {
           // Otherwise get it like default value
           currentFilters = { isPublic: true };
           break;
+        }
       }
     } else {
       // Otherwise get it like default value
diff --git a/apis/client/profile/view.js b/apis/client/profile/view.js
@@ -39,7 +39,7 @@ Template.viewApi.onCreated(function () {
   instance.subscribe('apiAuthorizedUsersPublicDetails', instance.apiId);
 
   // Subscribe to all users, returns only usernames
-  instance.subscribe('allUsers');
+  instance.subscribe('allUsersUsernamesOnly');
 
   // Subscribe to organization for this API
   instance.subscribe('apiOrganizationBasicDetails', instance.apiId);
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "apinf",
-  "version": "0.38.0",
+  "version": "0.38.1",
   "description": "API management portal and proxy.",
   "main": "index.js",
   "directories": {
diff --git a/users/client/lib/router.js b/users/client/lib/router.js
@@ -2,12 +2,32 @@ import { Meteor } from 'meteor/meteor';
 import { FlowRouter } from 'meteor/kadira:flow-router';
 import { BlazeLayout } from 'meteor/kadira:blaze-layout';
 import { Accounts } from 'meteor/accounts-base';
+import { Roles } from 'meteor/alanning:roles';
 import { sAlert } from 'meteor/juliancwirko:s-alert';
 import { TAPi18n } from 'meteor/tap:i18n';
 import { AccountsTemplates } from 'meteor/useraccounts:core';
 
 FlowRouter.route('/users', {
   name: 'accountsAdmin',
+  triggersEnter: [
+    function (context, redirect) {
+      /*
+      Make sure user is authorized to access route (admin users only)
+      */
+
+      // Get current User ID
+      const userId = Meteor.userId();
+
+      // Check if User is admin
+      const userIsAdmin = Roles.userIsInRole(userId, 'admin');
+
+      // If user is not an admin
+      if (!userIsAdmin) {
+        // Redirect to 'not authorized' route
+        redirect('/not-authorized');
+      }
+    },
+  ],
   action: function () {
     BlazeLayout.render('masterLayout', { main: 'accountsAdmin' });
   },
diff --git a/users/collection/server/publications.js b/users/collection/server/publications.js
@@ -1,10 +1,12 @@
 import { Meteor } from 'meteor/meteor';
 import { Apis } from '/apis/collection';
 
-Meteor.publish('allUsers', function () {
+Meteor.publish('allUsersUsernamesOnly', function () {
   return Meteor.users.find({}, { fields: { username: 1 } });
 });
 
+// TODO: determine whether this publication is used
+// If it is used, refactor it to be a regular publication
 Meteor.publishComposite('user', function () {
   return {
     find () {

-Original file line number
+Diff line change
               Apinf
             </dt>
             <dd>
 -              0.38.0
 +              0.38.1
             </dd>
             <dt>
               API Umbrella
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "apinf",`
`3`		`- "version": "0.38.0",`
	`3`	`+ "version": "0.38.1",`
`4`	`4`	`"description": "API management portal and proxy.",`
`5`	`5`	`"main": "index.js",`
`6`	`6`	`"directories": {`