From 62e866200d4c2e268eebd63e6a649302654168c9 Mon Sep 17 00:00:00 2001
From: Sebastien DUMETZ <s.dumetz@holusion.com>
Date: Wed, 10 Jan 2024 12:30:31 +0100
Subject: [PATCH] properly send a 404 error when an user requests an UI view on
 a scene he can't access

---
 source/server/server.ts           | 6 ++++--
 source/server/templates/error.hbs | 3 +--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/source/server/server.ts b/source/server/server.ts
index 1e72722d..135edd49 100644
--- a/source/server/server.ts
+++ b/source/server/server.ts
@@ -8,7 +8,7 @@ import UserManager from "./auth/UserManager.js";
 import { BadRequestError, HTTPError } from "./utils/errors.js";
 import { mkdir } from "fs/promises";
 
-import {AppLocals, getHost, getUserManager} from "./utils/locals.js";
+import {AppLocals, canRead, canWrite, getHost, getUserManager, isUser} from "./utils/locals.js";
 
 import openDatabase from "./vfs/helpers/db.js";
 import Vfs from "./vfs/index.js";
@@ -105,6 +105,8 @@ export default async function createServer(config = defaultConfig) :Promise<expr
     res.set("Cache-Control", `max-age=${60*60*24*30*12}, public`);
     next();
   });
+  
+  app.use("/ui/scenes/:scene/", canRead);
 
   app.get("/ui/scenes/:scene/view", (req, res)=>{
     let {scene} = req.params;
@@ -122,7 +124,7 @@ export default async function createServer(config = defaultConfig) :Promise<expr
     });
   });
 
-  app.get("/ui/scenes/:scene/edit",(req, res)=>{
+  app.get("/ui/scenes/:scene/edit", canWrite, (req, res)=>{
     let {scene} = req.params;
     let {lang} = req.query;
     let host = getHost(req);
diff --git a/source/server/templates/error.hbs b/source/server/templates/error.hbs
index f5e615c2..42a17b47 100644
--- a/source/server/templates/error.hbs
+++ b/source/server/templates/error.hbs
@@ -41,5 +41,4 @@
     padding: 1ch;
   }
 </style>
-
-<script src="/js/corpus.js"></script>
\ No newline at end of file
+<script src="/dist/js/corpus.js"></script>
\ No newline at end of file