fix: property validation on some permission endpoints

HeyPuter · Jul 4, 2024 · 0855f2b · 0855f2b
1 parent dcbca2f
commit 0855f2b
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/packages/backend/src/routers/auth/grant-user-app.js b/packages/backend/src/routers/auth/grant-user-app.js
@@ -44,6 +44,12 @@ module.exports = eggspress('/auth/grant-user-app', {
         throw APIError.create('field_missing', null, { key: 'app_uid' });
     }
 
+    if ( ! req.body.permission ) {
+        throw APIError.create('field_missing', null, {
+            key: 'permission'
+        });
+    }
+
     const token = await svc_permission.grant_user_app_permission(
         actor, req.body.app_uid, req.body.permission,
         req.body.extra || {}, req.body.meta || {}

diff --git a/packages/backend/src/routers/auth/grant-user-user.js b/packages/backend/src/routers/auth/grant-user-user.js
@@ -21,6 +21,12 @@ module.exports = eggspress('/auth/grant-user-user', {
         throw APIError.create('field_missing', null, { key: 'target_username' });
     }
 
+    if ( ! req.body.permission ) {
+        throw APIError.create('field_missing', null, {
+            key: 'permission'
+        });
+    }
+
     await svc_permission.grant_user_user_permission(
         actor, req.body.target_username, req.body.permission,
         req.body.extra || {}, req.body.meta || {}