Deny unauthorized access to channel type.

modified: lib/services/identity/controllers/identity-channel-controller.js
oddnetworks · Oct 27, 2016 · 241e233 · 241e233
1 parent b0ecd3d
commit 241e233
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/lib/services/identity/controllers/identity-channel-controller.js b/lib/services/identity/controllers/identity-channel-controller.js
@@ -13,6 +13,10 @@ class IdentityChannelController extends IdentityItemController {
 		const id = req.params.id;
 		const args = {type, id};
 
+		if (!this.checkChannelAccess(req)) {
+			return next(Boom.forbidden('Access to the requested channel is forbidden'));
+		}
+
 		if (req.query.include) {
 			args.include = req.query.include.split(',');
 		}
@@ -37,6 +41,10 @@ class IdentityChannelController extends IdentityItemController {
 		const payload = req.body;
 		const args = {type, id};
 
+		if (!this.checkChannelAccess(req)) {
+			return next(Boom.forbidden('Access to the requested channel is forbidden'));
+		}
+
 		return this.bus.query({role: 'store', cmd: 'get', type}, args)
 			.then(resource => {
 				if (resource) {
@@ -63,6 +71,10 @@ class IdentityChannelController extends IdentityItemController {
 		const id = req.params.id;
 		const args = {type, id};
 
+		if (!this.checkChannelAccess(req)) {
+			return next(Boom.forbidden('Access to the requested channel is forbidden'));
+		}
+
 		return this.bus.sendCommand({role: 'store', cmd: 'remove', type}, args)
 			.then(() => {
 				res.body = {};
@@ -73,6 +85,14 @@ class IdentityChannelController extends IdentityItemController {
 			.catch(next);
 	}
 
+	checkChannelAccess(req) {
+		if (this.isAdminRequest(req)) {
+			return true;
+		}
+
+		return req.params.id === _.get(req, 'identity.channel.id');
+	}
+
 	static create(spec) {
 		if (!spec.bus || !_.isObject(spec.bus)) {
 			throw new Error('IdentityChannelController spec.bus is required');