🔒️ Fix REST & GQL endpoints auth
Tim Izzo tim@octree.ch
Tue, 18 Oct 2022 18:41:14 +0200
13 files changed,
34 insertions(+),
48 deletions(-)
jump to
M
backend/config/permissions.ts
→
backend/config/permissions.ts
@@ -2,25 +2,20 @@ const publicPerms = [
"api::travel.travel.create", "api::travel.travel.delete", "api::travel.travel.update", - "api::vehicle.vehicle.create", "api::vehicle.vehicle.delete", "api::vehicle.vehicle.update", - "api::event.event.create", "api::event.event.findOne", "api::event.event.update", - "api::passenger.passenger.create", "api::passenger.passenger.delete", "api::passenger.passenger.update", - "api::page.page.find", "api::page.page.findOne", - "api::setting.setting.find", - // GraphQL disabled at load + // // GraphQL disabled at load "api::travel.travel.find", "api::passenger.passenger.find", "api::event.event.find",
M
backend/src/api/event/routes/event.ts
→
backend/src/api/event/routes/event.ts
@@ -1,6 +1,3 @@
import { factories } from "@strapi/strapi"; -export default factories.createCoreRouter("api::event.event", { - only: ["findOne", "create"], - config: {}, -}); +export default factories.createCoreRouter("api::event.event");
D
backend/src/api/page/services/page.js
@@ -1,8 +0,0 @@
-'use strict'; - -/** - * Read the documentation (https://strapi.io/documentation/v3.x/concepts/services.html#core-services) - * to customize this service - */ - -module.exports = {};
A
backend/src/api/page/services/page.ts
@@ -0,0 +1,3 @@
+import { factories } from "@strapi/strapi"; + +export default factories.createCoreService("api::page.page");
M
backend/src/api/passenger/routes/passenger.ts
→
backend/src/api/passenger/routes/passenger.ts
@@ -1,3 +1,3 @@
-export default { - routes: [], -}; +import { factories } from "@strapi/strapi"; + +export default factories.createCoreRouter("api::passenger.passenger");
D
backend/src/api/passenger/services/passenger.js
@@ -1,8 +0,0 @@
-'use strict'; - -/** - * Read the documentation (https://strapi.io/documentation/developer-docs/latest/development/backend-customization.html#core-services) - * to customize this service - */ - -module.exports = {};
A
backend/src/api/passenger/services/passenger.ts
@@ -0,0 +1,3 @@
+import { factories } from "@strapi/strapi"; + +export default factories.createCoreService("api::passenger.passenger");
M
backend/src/api/setting/routes/setting.ts
→
backend/src/api/setting/routes/setting.ts
@@ -1,3 +1,3 @@
-export default { - routes: [], -}; +import { factories } from "@strapi/strapi"; + +export default factories.createCoreRouter("api::setting.setting");
M
backend/src/api/travel/routes/travel.ts
→
backend/src/api/travel/routes/travel.ts
@@ -1,3 +1,3 @@
-export default { - routes: [], -}; +import { factories } from "@strapi/strapi"; + +export default factories.createCoreRouter("api::travel.travel");
D
backend/src/api/travel/services/travel.js
@@ -1,8 +0,0 @@
-'use strict'; - -/** - * Read the documentation (https://strapi.io/documentation/developer-docs/latest/development/backend-customization.html#core-services) - * to customize this service - */ - -module.exports = {};
A
backend/src/api/travel/services/travel.ts
@@ -0,0 +1,3 @@
+import { factories } from "@strapi/strapi"; + +export default factories.createCoreService("api::travel.travel");
M
backend/src/api/vehicle/routes/vehicles.ts
→
backend/src/api/vehicle/routes/vehicles.ts
@@ -1,3 +1,3 @@
-export default { - routes: [], -}; +import { factories } from "@strapi/strapi"; + +export default factories.createCoreRouter("api::vehicle.vehicle");
M
backend/src/index.ts
→
backend/src/index.ts
@@ -11,8 +11,17 @@ */
register(context) { graphqlExtends(context); - // Disable /users find REST endpoint - context.strapi.controller("plugin::users-permissions.user").find = () => {}; + // Disable REST endpoints + context.strapi.controller("api::event.event").find = (ctx) => + ctx.unauthorized(); + context.strapi.controller("api::passenger.passenger").find = (ctx) => + ctx.unauthorized(); + context.strapi.controller("api::travel.travel").find = (ctx) => + ctx.unauthorized(); + context.strapi.controller("api::vehicle.vehicle").find = (ctx) => + ctx.unauthorized(); + context.strapi.controller("plugin::users-permissions.user").find = (ctx) => + ctx.unauthorized(); }, /**