npm - nodebb-plugin-calendar-onekite - Versions diffs - 11.1.18 → 11.1.20 - Mend

nodebb-plugin-calendar-onekite 11.1.18 → 11.1.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/library.js +36 -33
package/package.json +1 -1

package/library.js CHANGED Viewed

@@ -20,62 +20,65 @@ const mw = (...fns) => fns.filter(isFn);
 Plugin.init = async function (params) {
   const { router, middleware } = params;
+  // Build middleware arrays safely and always spread them into Express route methods.
+  // Express will throw if any callback is undefined, so we filter strictly.
+  const publicExpose = mw(middleware && middleware.exposeUid);
+  const publicAuth = mw(middleware && middleware.exposeUid, middleware && middleware.ensureLoggedIn);
+  // Robust admin guard: avoid middleware.admin.checkPrivileges() signature differences
+  // across NodeBB versions. We treat membership in the 'administrators' group as admin.
+  const Groups = require.main.require('./src/groups');
+  async function adminOnly(req, res, next) {
+    try {
+      const uid = req.uid;
+      if (!uid) {
+        return res.status(401).json({ status: { code: 'not-authorized', message: 'Not logged in' } });
+      }
+      const isAdmin = await Groups.isMember(uid, 'administrators');
+      if (!isAdmin) {
+        return res.status(403).json({ status: { code: 'not-authorized', message: 'Not allowed' } });
+      }
+      return next();
+    } catch (err) {
+      return next(err);
+    }
+  }
+  const adminMws = mw(middleware && middleware.exposeUid, middleware && middleware.ensureLoggedIn, adminOnly);
   // Page routes (HTML)
   // IMPORTANT: pass an ARRAY for middlewares (even if empty), otherwise
   // setupPageRoute will throw "middlewares is not iterable".
   routeHelpers.setupPageRoute(router, '/calendar', mw(), controllers.renderCalendar);
   routeHelpers.setupAdminPageRoute(router, '/admin/plugins/calendar-onekite', mw(), admin.renderAdmin);
-// Public API (JSON)
+  // Public API (JSON)
   // We register both v3 and legacy (/api/...) endpoints as a compatibility fallback.
-  const publicExpose = mw(middleware.exposeUid);
-  const publicAuth = mw(middleware.exposeUid, middleware.ensureLoggedIn);
   ['/api/v3/plugins/calendar-onekite/events', '/api/plugins/calendar-onekite/events'].forEach((p) => {
-    router.get(p, publicExpose, api.getEvents);
+    router.get(p, ...publicExpose, api.getEvents);
   });
   ['/api/v3/plugins/calendar-onekite/items', '/api/plugins/calendar-onekite/items'].forEach((p) => {
-    router.get(p, publicExpose, api.getItems);
+    router.get(p, ...publicExpose, api.getItems);
   });
   ['/api/v3/plugins/calendar-onekite/reservations', '/api/plugins/calendar-onekite/reservations'].forEach((p) => {
-    router.post(p, publicAuth, api.createReservation);
+    router.post(p, ...publicAuth, api.createReservation);
   });
   // Admin API (JSON)
-  // Admin guard: avoid calling middleware.admin.checkPrivileges directly because its signature
-  // differs across NodeBB versions (and can crash the server if invoked incorrectly).
-  const Groups = require.main.require('./src/groups');
-  const requireAdmin = async (req, res, next) => {
-    try {
-      if (!req.uid) {
-        return res.status(403).json({ status: { code: 'forbidden', message: 'not-logged-in' } });
-      }
-      const isAdmin = await Groups.isMember(req.uid, 'administrators');
-      if (!isAdmin) {
-        return res.status(403).json({ status: { code: 'forbidden', message: 'admin-only' } });
-      }
-      return next();
-    } catch (err) {
-      return next(err);
-    }
-  };
-  const adminMws = mw(middleware.exposeUid, middleware.ensureLoggedIn, requireAdmin);
   const adminBases = ['/api/v3/admin/plugins/calendar-onekite', '/api/admin/plugins/calendar-onekite'];
   adminBases.forEach((base) => {
-    router.get(`${base}/settings`, adminMws, admin.getSettings);
-    router.put(`${base}/settings`, adminMws, admin.saveSettings);
+    router.get(`${base}/settings`, ...adminMws, admin.getSettings);
+    router.put(`${base}/settings`, ...adminMws, admin.saveSettings);
-    router.get(`${base}/pending`, adminMws, admin.listPending);
-    router.put(`${base}/reservations/:rid/approve`, adminMws, admin.approveReservation);
-    router.put(`${base}/reservations/:rid/refuse`, adminMws, admin.refuseReservation);
+    router.get(`${base}/pending`, ...adminMws, admin.listPending);
+    router.put(`${base}/reservations/:rid/approve`, ...adminMws, admin.approveReservation);
+    router.put(`${base}/reservations/:rid/refuse`, ...adminMws, admin.refuseReservation);
-    router.post(`${base}/purge`, adminMws, admin.purgeByYear);
-    router.get(`${base}/debug`, adminMws, admin.debugHelloAsso);
+    router.post(`${base}/purge`, ...adminMws, admin.purgeByYear);
+    router.get(`${base}/debug`, ...adminMws, admin.debugHelloAsso);
   });
   scheduler.start();
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nodebb-plugin-calendar-onekite",
-  "version": "11.1.18",
+  "version": "11.1.20",
   "description": "FullCalendar-based equipment reservation workflow with admin approval & HelloAsso payment for NodeBB",
   "main": "library.js",
   "license": "MIT",