strapi-plugin-magic-sessionmanager 3.2.0 → 3.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/server/index.js
CHANGED
|
@@ -760,14 +760,16 @@ var session$3 = {
|
|
|
760
760
|
},
|
|
761
761
|
/**
|
|
762
762
|
* Get user's sessions
|
|
763
|
-
* GET /magic-sessionmanager/user/:userId/sessions
|
|
764
|
-
*
|
|
763
|
+
* GET /magic-sessionmanager/user/:userId/sessions (Admin API)
|
|
764
|
+
* GET /api/magic-sessionmanager/user/:userId/sessions (Content API)
|
|
765
|
+
* SECURITY: Admins can view any user, Content API users only their own
|
|
765
766
|
*/
|
|
766
767
|
async getUserSessions(ctx) {
|
|
767
768
|
try {
|
|
768
769
|
const { userId } = ctx.params;
|
|
770
|
+
const isAdminRequest = ctx.state.userAbility || ctx.state.admin;
|
|
769
771
|
const requestingUserId = ctx.state.user?.id;
|
|
770
|
-
if (requestingUserId && String(requestingUserId) !== String(userId)) {
|
|
772
|
+
if (!isAdminRequest && requestingUserId && String(requestingUserId) !== String(userId)) {
|
|
771
773
|
strapi.log.warn(`[magic-sessionmanager] Security: User ${requestingUserId} tried to access sessions of user ${userId}`);
|
|
772
774
|
return ctx.forbidden("You can only access your own sessions");
|
|
773
775
|
}
|
package/dist/server/index.mjs
CHANGED
|
@@ -756,14 +756,16 @@ var session$3 = {
|
|
|
756
756
|
},
|
|
757
757
|
/**
|
|
758
758
|
* Get user's sessions
|
|
759
|
-
* GET /magic-sessionmanager/user/:userId/sessions
|
|
760
|
-
*
|
|
759
|
+
* GET /magic-sessionmanager/user/:userId/sessions (Admin API)
|
|
760
|
+
* GET /api/magic-sessionmanager/user/:userId/sessions (Content API)
|
|
761
|
+
* SECURITY: Admins can view any user, Content API users only their own
|
|
761
762
|
*/
|
|
762
763
|
async getUserSessions(ctx) {
|
|
763
764
|
try {
|
|
764
765
|
const { userId } = ctx.params;
|
|
766
|
+
const isAdminRequest = ctx.state.userAbility || ctx.state.admin;
|
|
765
767
|
const requestingUserId = ctx.state.user?.id;
|
|
766
|
-
if (requestingUserId && String(requestingUserId) !== String(userId)) {
|
|
768
|
+
if (!isAdminRequest && requestingUserId && String(requestingUserId) !== String(userId)) {
|
|
767
769
|
strapi.log.warn(`[magic-sessionmanager] Security: User ${requestingUserId} tried to access sessions of user ${userId}`);
|
|
768
770
|
return ctx.forbidden("You can only access your own sessions");
|
|
769
771
|
}
|
package/package.json
CHANGED
|
@@ -57,16 +57,21 @@ module.exports = {
|
|
|
57
57
|
|
|
58
58
|
/**
|
|
59
59
|
* Get user's sessions
|
|
60
|
-
* GET /magic-sessionmanager/user/:userId/sessions
|
|
61
|
-
*
|
|
60
|
+
* GET /magic-sessionmanager/user/:userId/sessions (Admin API)
|
|
61
|
+
* GET /api/magic-sessionmanager/user/:userId/sessions (Content API)
|
|
62
|
+
* SECURITY: Admins can view any user, Content API users only their own
|
|
62
63
|
*/
|
|
63
64
|
async getUserSessions(ctx) {
|
|
64
65
|
try {
|
|
65
66
|
const { userId } = ctx.params;
|
|
67
|
+
|
|
68
|
+
// Check if this is an admin request
|
|
69
|
+
const isAdminRequest = ctx.state.userAbility || ctx.state.admin;
|
|
66
70
|
const requestingUserId = ctx.state.user?.id;
|
|
67
71
|
|
|
68
|
-
// SECURITY CHECK:
|
|
69
|
-
|
|
72
|
+
// SECURITY CHECK: Content API users can only see their own sessions
|
|
73
|
+
// Admins can see any user's sessions
|
|
74
|
+
if (!isAdminRequest && requestingUserId && String(requestingUserId) !== String(userId)) {
|
|
70
75
|
strapi.log.warn(`[magic-sessionmanager] Security: User ${requestingUserId} tried to access sessions of user ${userId}`);
|
|
71
76
|
return ctx.forbidden('You can only access your own sessions');
|
|
72
77
|
}
|