Press n or j to go to the next uncovered block, b, p or k for the previous block.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 | 12x 11x 11x 4x 7x 7x 11x 11x 11x 1x 10x 3x 12x 23x 23x 23x 2x 21x 3x | import { MiddlewareObj, Request } from "@middy/core";
import { createError } from "@middy/util";
import { isCmsUser, isUserManagerUser } from "shared-utils";
import { getAuthUserFromRequest, getPackageFromRequest } from "./utils";
/**
* Checks the user's permissions to determine if they can access the package.
* @returns {MiddlewareObj} middleware the validate permission for a user to view a package before the handler runs
*/
export const canViewPackage = (): MiddlewareObj => ({
before: async (request: Request) => {
const packageResult = await getPackageFromRequest(request);
let state: string;
if (packageResult) {
state = packageResult?._source?.state.toUpperCase();
} else {
// the event body should already have been validated by `validator` before this handler runs
const { id } = request.event.body as { id: string };
state = id.substring(0, 2).toUpperCase();
}
Iif (!state) {
throw new Error("Could not resolve the state of the package");
}
// Get the user to check if they are authorized to see the package
const user = await getAuthUserFromRequest(request);
if (!user) {
throw new Error("User was not stored on the request");
}
if (!isCmsUser(user) && (!user.states || !user.states.includes(state))) {
throw createError(403, JSON.stringify({ message: "Not authorized to view this resource" }));
}
},
});
/**
* Checks the user's permissions to determine if they can view the user.
* @returns {MiddlewareObj} middleware the validate permission for a user to view a user before the handler runs
*/
export const canViewUser = (): MiddlewareObj => ({
before: async (request: Request) => {
// Get the user to check if they are authorized to see the user
const authenticatedUser = await getAuthUserFromRequest(request);
const { userEmail } = request.event.body;
// if the user wasn't set in context throw an error
if (!authenticatedUser || !authenticatedUser?.email) {
throw new Error("User was not stored on the request");
}
// if the userEmail was set but the authenticated user does not have
// authorization to view another user's details, throw an error
if (
userEmail &&
authenticatedUser.email !== userEmail &&
!isUserManagerUser(authenticatedUser)
) {
throw createError(403, JSON.stringify({ message: "Not authorized to view this resource" }));
}
},
});
|