refactor: cleans up and removes unncessary console.log statement

fix(middleware): enhanced user privacy on profile pages
Addresses a security vulnerability where the `/users/[:id]` route was accessible to users without the necessary permissions. Adds middleware that protects that route so that only authenticated users with the MANAGE_USERS and VIEW_WATCHLIST permissions can access other user's profile pages as intended. fix #569
2023-11-19 10:28:14 +05:00 · 2023-11-19 10:21:57 +05:00
6 changed files with 17 additions and 29 deletions
--- a/server/routes/user/index.ts
+++ b/server/routes/user/index.ts
@@ -182,21 +182,25 @@ router.post<
  }
 });

-router.get<{ id: string }>('/:id', async (req, res, next) => {
-  try {
-    const userRepository = getRepository(User);
+router.get<{ id: string }>(
+  '/:id',
+  isAuthenticated([Permission.MANAGE_USERS, Permission.WATCHLIST_VIEW]),
+  async (req, res, next) => {
+    try {
+      const userRepository = getRepository(User);

-    const user = await userRepository.findOneOrFail({
-      where: { id: Number(req.params.id) },
-    });
+      const user = await userRepository.findOneOrFail({
+        where: { id: Number(req.params.id) },
+      });

-    return res
-      .status(200)
-      .json(user.filter(req.user?.hasPermission(Permission.MANAGE_USERS)));
-  } catch (e) {
-    next({ status: 404, message: 'User not found.' });
+      return res
+        .status(200)
+        .json(user.filter(req.user?.hasPermission(Permission.MANAGE_USERS)));
+    } catch (e) {
+      next({ status: 404, message: 'User not found.' });
+    }
  }
-});
+);

 router.use('/:id/settings', userSettingsRoutes);

--- a/src/components/Common/ListView/index.tsx
+++ b/src/components/Common/ListView/index.tsx
@@ -19,7 +19,6 @@ type ListViewProps = {
  isLoading?: boolean;
  isReachingEnd?: boolean;
  onScrollBottom: () => void;
-  mutateParent?: () => void;
 };

 const ListView = ({
@@ -29,7 +28,6 @@ const ListView = ({
  onScrollBottom,
  isReachingEnd,
  plexItems,
-  mutateParent,
 }: ListViewProps) => {
  const intl = useIntl();
  useVerticalScroll(onScrollBottom, !isLoading && !isEmpty && !isReachingEnd);
@@ -50,7 +48,6 @@ const ListView = ({
                type={title.mediaType}
                isAddedToWatchlist={true}
                canExpand
-                mutateParent={mutateParent}
              />
            </li>
          );
--- a/src/components/Discover/DiscoverWatchlist/index.tsx
+++ b/src/components/Discover/DiscoverWatchlist/index.tsx
@@ -30,7 +30,6 @@ const DiscoverWatchlist = () => {
    titles,
    fetchMore,
    error,
-    mutate,
  } = useDiscover<WatchlistItem>(
    `/api/v1/${
      router.pathname.startsWith('/profile')
@@ -77,7 +76,6 @@ const DiscoverWatchlist = () => {
        }
        isReachingEnd={isReachingEnd}
        onScrollBottom={fetchMore}
-        mutateParent={mutate}
      />
    </>
  );
--- a/src/components/TitleCard/TmdbTitleCard.tsx
+++ b/src/components/TitleCard/TmdbTitleCard.tsx
@@ -12,7 +12,6 @@ export interface TmdbTitleCardProps {
  type: 'movie' | 'tv';
  canExpand?: boolean;
  isAddedToWatchlist?: boolean;
-  mutateParent?: () => void;
 }

 const isMovie = (movie: MovieDetails | TvDetails): movie is MovieDetails => {
@@ -26,7 +25,6 @@ const TmdbTitleCard = ({
  type,
  canExpand,
  isAddedToWatchlist = false,
-  mutateParent,
 }: TmdbTitleCardProps) => {
  const { hasPermission } = useUser();

@@ -73,7 +71,6 @@ const TmdbTitleCard = ({
      year={title.releaseDate}
      mediaType={'movie'}
      canExpand={canExpand}
-      mutateParent={mutateParent}
    />
  ) : (
    <TitleCard
@@ -90,7 +87,6 @@ const TmdbTitleCard = ({
      year={title.firstAirDate}
      mediaType={'tv'}
      canExpand={canExpand}
-      mutateParent={mutateParent}
    />
  );
 };
--- a/src/components/TitleCard/index.tsx
+++ b/src/components/TitleCard/index.tsx
@@ -38,7 +38,6 @@ interface TitleCardProps {
  canExpand?: boolean;
  inProgress?: boolean;
  isAddedToWatchlist?: number | boolean;
-  mutateParent?: () => void;
 }

 const messages = defineMessages({
@@ -62,7 +61,6 @@ const TitleCard = ({
  isAddedToWatchlist = false,
  inProgress = false,
  canExpand = false,
-  mutateParent,
 }: TitleCardProps) => {
  const isTouch = useIsTouch();
  const intl = useIntl();
@@ -150,9 +148,6 @@ const TitleCard = ({
    } finally {
      setIsUpdating(false);
      mutate('/api/v1/discover/watchlist');
-      if (mutateParent) {
-        mutateParent();
-      }
      setToggleWatchlist((prevState) => !prevState);
    }
  };
--- a/src/hooks/useDiscover.ts
+++ b/src/hooks/useDiscover.ts
@@ -25,7 +25,6 @@ interface DiscoverResult<T, S> {
  error: unknown;
  titles: T[];
  firstResultData?: BaseSearchResult<T> & S;
-  mutate?: () => void;
 }

 const extraEncodes: [RegExp, string][] = [
@@ -55,7 +54,7 @@ const useDiscover = <
  { hideAvailable = true } = {}
 ): DiscoverResult<T, S> => {
  const settings = useSettings();
-  const { data, error, size, setSize, isValidating, mutate } = useSWRInfinite<
+  const { data, error, size, setSize, isValidating } = useSWRInfinite<
    BaseSearchResult<T> & S
  >(
    (pageIndex: number, previousPageData) => {
@@ -120,7 +119,6 @@ const useDiscover = <
    error,
    titles,
    firstResultData: data?.[0],
-    mutate,
  };
 };