IT4Change/ohmyform-api
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

form hooks should only be queryable for form admins

Browse Source
This commit is contained in:
Michael Schramm 2022-03-14 13:49:16 +01:00
parent b3cacb8481
commit 7ea4f51f4b
2 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -30,6 +30,8 @@ Template for next version
### Security
- form hooks should only be queryable for form admins
## [1.0.2] - 2022-03-13
### Fixed

5
src/resolver/form/form.resolver.ts
View File

@ -43,6 +43,7 @@ export class FormResolver {
}
@ResolveField(() => [FormHookModel])
@Roles('admin')
async hooks(
@User() user: UserEntity,
@Parent() parent: FormModel,
@ -50,6 +51,10 @@ export class FormResolver {
): Promise<FormHookModel[]> {
const form = await cache.get<FormEntity>(cache.getCacheKey(FormEntity.name, parent._id))
if (!this.formService.isAdmin(form, user)) {
throw new Error('no access to field')
}
return form.hooks?.map(hook => new FormHookModel(hook)) || []
}