f.weber/homebrewery
0
0
Fork 0
mirror of https://github.com/naturalcrit/homebrewery.git synced 2025-12-24 12:02:48 +00:00
Code Wiki Activity

If user is owner, fetch Google Brew with user auth

Browse Source 
Fixes the case where a user can see a Google Brew under their account (`listBrew()` uses their personal auth) but can't actually delete it (`getBrew()`  only uses the serviceAccount). Occurs if a Google brew has lost its permissions somehow (set to "restricted", etc.) such that serviceAccount can no longer interact with it.
This commit is contained in:
Trevor Buckner
2024-12-08 23:42:14 -05:00
parent 74a7983757
commit 9758797e2b
3 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
server/googleActions.js
View File

@@ -241,8 +241,8 @@ const GoogleActions = {
return obj.data.id;
},
getGoogleBrew : async (id, accessId, accessType)=>{
const drive = googleDrive.drive({ version: 'v3', auth: defaultAuth });
getGoogleBrew : async (auth, id, accessId, accessType)=>{
const drive = googleDrive.drive({ version: 'v3', auth: auth || defaultAuth });
const obj = await drive.files.get({
fileId : id,

4
server/homebrew.api.js
View File

@@ -106,6 +106,7 @@ const api = {
stub = stub?.toObject();
googleId ??= stub?.googleId;
const isOwner = stub?.authors?.length === 0 || stub?.authors?.[0] === req.account?.username;
const isAuthor = stub?.authors?.includes(req.account?.username);
const isInvited = stub?.invitedAuthors?.includes(req.account?.username);
@@ -122,9 +123,10 @@ const api = {
}
// If there is a google id, try to find the google brew
const googleBrew = await GoogleActions.getGoogleBrew(googleId || stub?.googleId, id, accessType)
if(!stubOnly && googleId) {
const oAuth2Client = isOwner? GoogleActions.authCheck(req.account, res) : undefined;
const googleBrew = await GoogleActions.getGoogleBrew(oAuth2Client, googleId, id, accessType)
.catch((googleError)=>{
const reason = googleError.errors?.[0].reason;
if(reason == 'notFound')

2
server/homebrew.api.spec.js
View File

@@ -298,7 +298,7 @@ describe('Tests for api', ()=>{
expect(next).toHaveBeenCalled();
expect(api.getId).toHaveBeenCalledWith(req);
expect(model.get).toHaveBeenCalledWith({ shareId: '1' });
expect(google.getGoogleBrew).toHaveBeenCalledWith('2', '1', 'share');
expect(google.getGoogleBrew).toHaveBeenCalledWith(undefined, '2', '1', 'share');
});
it('access is denied to a locked brew', async()=>{