Skip to content

Commit

Permalink
Block logs/backups download when blog.admin-emails is set to _all_
Browse files Browse the repository at this point in the history
  • Loading branch information
tsimonyan authored and synhershko committed Apr 20, 2019
1 parent eba2a86 commit 6adfcc6
Show file tree
Hide file tree
Showing 6 changed files with 55 additions and 12 deletions.
20 changes: 16 additions & 4 deletions admin-frontend/src/api.js
Original file line number Diff line number Diff line change
Expand Up @@ -105,12 +105,24 @@ export function redirectToSocialConnect(socialKey) {
window.location.href = url;
}

export function downloadBackupUrl() {
return '/api/dump/content?state=' + getJwtToken();
export async function downloadBackup() {
const url = '/api/dump/content';
const resp = await authFetch(url, { method: 'OPTIONS' });
const data = await resp.json();
if (data.error) {
throw new Error(data.error);
}
window.location.href = url + '?state=' + getJwtToken();
}

export function downloadLogsUrl() {
return '/api/dump/logs?state=' + getJwtToken();
export async function downloadLogs() {
const url = '/api/dump/logs';
const resp = await authFetch(url, { method: 'OPTIONS' });
const data = await resp.json();
if (data.error) {
throw new Error(data.error);
}
window.location.href = url + '?state=' + getJwtToken();
}

export function uploadImageUrl() {
Expand Down
15 changes: 13 additions & 2 deletions admin-frontend/src/pages/Backup.js
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
import React from 'react';
import { toast } from 'react-toastify';

import LoggedInLayout from '../components/LoggedInLayout';
import SetupWarning from '../components/SetupWarning';
import * as api from '../api';


class Backup extends React.Component {
render() {
return (
Expand All @@ -19,7 +21,7 @@ class Backup extends React.Component {
JSON document with all posts and comments.
</div>
<button
onClick={() => window.location.href = api.downloadBackupUrl()}
onClick={this._onClick.bind(this, api.downloadBackup)}
className='btn btn-primary'>Download complete backup</button>
</div>
<hr/>
Expand All @@ -28,7 +30,7 @@ class Backup extends React.Component {
Archive of all logs in JSONL format.
</div>
<button
onClick={() => window.location.href = api.downloadLogsUrl()}
onClick={this._onClick.bind(this, api.downloadLogs)}
className='btn btn-primary'>Download logs archive</button>
</div>
</div>
Expand All @@ -39,6 +41,15 @@ class Backup extends React.Component {
</LoggedInLayout>
);
}

async _onClick(apiCall) {
try {
await apiCall();
}
catch (err) {
toast.error(err.message);
}
}
}

export default Backup;
4 changes: 4 additions & 0 deletions backend/src/app.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ import cookieParser from 'cookie-parser';
import elasticsearch from 'elasticsearch';
import exphbs from './lib/express-handlebars-multi';

import { EmailString } from './util';

require('dotenv').config();

export const config = initConfig();
Expand Down Expand Up @@ -242,6 +244,8 @@ function initConfig() {
}
});

config.blog['admin-emails'] = new EmailString(config.blog['admin-emails']);

return config;
}

Expand Down
3 changes: 1 addition & 2 deletions backend/src/routes/auth/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,12 @@ import initJwt from './jwt';
import initGoogle from './google';
import initGithub from './github';
import initAnonymous from './anonymous';
import { AdminEmails } from './util';

const router = express.Router();
const socialAuthSources = [];

const ADMIN_ROUTE = config.blog['admin-route'];
const ADMIN_EMAILS = new AdminEmails(config.blog['admin-emails']);
const ADMIN_EMAILS = config.blog['admin-emails'];

if (ADMIN_EMAILS.isEmpty()) {
throw new Error('blog.admin-emails configuration variable is not set')
Expand Down
17 changes: 17 additions & 0 deletions backend/src/routes/dump.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,26 @@ import asyncHandler from 'express-async-handler';
import * as commentsService from '../services/comments';
import * as blogPostsService from '../services/blogPosts';
import * as loggingService from '../services/logging';
import { config } from '../app';


const router = express.Router();

router.use((req, res, next) => {
if (config.blog['admin-emails'].isMatchAll()) {
next(new Error('Logs and backups download is disabled when using anonymous access'));
return;
}

if (req.method === 'OPTIONS') {
res.header('Access-Control-Allow-Methods', 'GET,OPTIONS')
res.json({ error: null });
return;
}

next();
});

router.get('/content', asyncHandler(async (req, res) => {
const comments = await commentsService.getAllComments();
const posts = await blogPostsService.getAllItems({
Expand Down
8 changes: 4 additions & 4 deletions backend/src/routes/auth/util.js → backend/src/util.js
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
export class AdminEmails {
constructor(adminEmailsString) {
export class EmailString {
constructor(emailString) {
this.rules = [];

if (! adminEmailsString || ! adminEmailsString.length) {
if (! emailString || ! emailString.length) {
return;
}

this.rules = adminEmailsString.split(',')
this.rules = emailString.split(',')
.map(s => s.trim())
.filter(s => s.length > 0);
}
Expand Down

0 comments on commit 6adfcc6

Please sign in to comment.