adapt-authoring-content 3.2.0 → 3.2.1

package/lib/ContentModule.js

@@ -665,8 +665,18 @@ class ContentModule extends AbstractApiModule {
       const course = await this.findOne(
         { _type: 'course', _courseId },
         { validate: false },
-        { projection: { updatedAt: 1 } }
+        { projection: { updatedAt: 1, _type: 1, createdBy: 1, _isShared: 1, _shareWithUsers: 1, userGroups: 1 } }
       )
+      if (!course) {
+        throw this.app.errors.NOT_FOUND.setData({ type: 'content', id: _courseId })
+      }
+      // this custom handler bypasses the standard per-item access check, so apply
+      // it here: the tree is readable only if the user can access the course
+      // (owner / _isShared / _shareWithUsers / shared group). 404 (not 403) so we
+      // don't leak the course's existence. Supers are exempt.
+      if (!req.auth.isSuper && this.accessCheckHook.hasObservers && !(await this.accessCheckHook.invoke(req, course)).every(Boolean)) {
+        throw this.app.errors.NOT_FOUND.setData({ type: 'content', id: _courseId })
+      }
       const lastModified = new Date(course.updatedAt)
       lastModified.setMilliseconds(0) // HTTP dates are second-precision; must match before comparing
       const ifModifiedSince = req.headers['if-modified-since'] && new Date(req.headers['if-modified-since'])

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "adapt-authoring-content",
-  "version": "3.2.0",
+  "version": "3.2.1",
   "description": "Module for managing Adapt content",
   "homepage": "https://github.com/adapt-security/adapt-authoring-content",
   "license": "GPL-3.0",

package/tests/ContentModule.spec.js

@@ -560,6 +560,7 @@ describe('ContentModule', () => {
       let statusCode
       let ended = false
       const req = {
+        auth: { isSuper: true },
         apiData: { query: { _courseId: COURSE_ID } },
         headers: { 'if-modified-since': new Date('2025-01-02T00:00:00Z').toUTCString() }
       }
@@ -586,6 +587,7 @@ describe('ContentModule', () => {
         find: mock.fn(async () => items)
       })
       const req = {
+        auth: { isSuper: true },
         apiData: { query: { _courseId: COURSE_ID } },
         headers: {}
       }
@@ -617,13 +619,65 @@ describe('ContentModule', () => {
       const inst = createInstance({
         findOne: mock.fn(async () => { throw new Error('db error') })
       })
-      const req = { apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
+      const req = { auth: { isSuper: true }, apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
       const res = {}
       const next = mock.fn()
       await ContentModule.prototype.handleTree.call(inst, req, res, next)
       assert.equal(next.mock.callCount(), 1)
       assert.equal(next.mock.calls[0].arguments[0].message, 'db error')
     })
+
+    it('should run the per-item access check for non-super users and return the tree when allowed', async () => {
+      const lastModified = new Date('2025-01-15T00:00:00Z')
+      const course = { _id: COURSE_ID, _type: 'course', updatedAt: lastModified }
+      const accessCheckHook = { hasObservers: true, invoke: mock.fn(async () => [true]) }
+      const inst = createInstance({
+        accessCheckHook,
+        findOne: mock.fn(async () => course),
+        find: mock.fn(async () => [{ _id: COURSE_ID, _type: 'course', _courseId: COURSE_ID }])
+      })
+      const req = { auth: { isSuper: false, user: {} }, apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
+      const res = { set: mock.fn(), json: mock.fn() }
+      const next = mock.fn()
+      await ContentModule.prototype.handleTree.call(inst, req, res, next)
+
+      assert.equal(accessCheckHook.invoke.mock.callCount(), 1, 'access check invoked')
+      assert.deepEqual(accessCheckHook.invoke.mock.calls[0].arguments, [req, course], 'check receives req + the course')
+      assert.equal(inst.find.mock.callCount(), 1)
+      assert.equal(next.mock.callCount(), 0)
+    })
+
+    it('should 404 (not leak existence) when the access check denies the course', async () => {
+      const accessCheckHook = { hasObservers: true, invoke: mock.fn(async () => [false]) }
+      const inst = createInstance({
+        accessCheckHook,
+        findOne: mock.fn(async () => ({ _id: COURSE_ID, _type: 'course', updatedAt: new Date() })),
+        app: { errors: { NOT_FOUND: { setData: () => new Error('NOT_FOUND') } } }
+      })
+      const req = { auth: { isSuper: false, user: {} }, apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
+      const next = mock.fn()
+      await ContentModule.prototype.handleTree.call(inst, req, {}, next)
+
+      assert.equal(next.mock.callCount(), 1)
+      assert.equal(next.mock.calls[0].arguments[0].message, 'NOT_FOUND')
+      assert.equal(inst.find.mock.callCount(), 0, 'should not fetch items for an inaccessible course')
+    })
+
+    it('should skip the access check for super users', async () => {
+      const accessCheckHook = { hasObservers: true, invoke: mock.fn(async () => [false]) }
+      const inst = createInstance({
+        accessCheckHook,
+        findOne: mock.fn(async () => ({ _id: COURSE_ID, _type: 'course', updatedAt: new Date('2025-01-15T00:00:00Z') })),
+        find: mock.fn(async () => [])
+      })
+      const req = { auth: { isSuper: true }, apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
+      const res = { set: mock.fn(), json: mock.fn() }
+      const next = mock.fn()
+      await ContentModule.prototype.handleTree.call(inst, req, res, next)
+
+      assert.equal(accessCheckHook.invoke.mock.callCount(), 0, 'super bypasses the access check')
+      assert.equal(next.mock.callCount(), 0)
+    })
   })
 
   describe('enforceAssetNotInUse', () => {