fix: acl check for subdomain on access

KernelDeimos · KernelDeimos · commit c69006e1852b · 2024-12-18T14:51:30.000-05:00
diff --git a/src/backend/src/routers/hosting/puter-site.js b/src/backend/src/routers/hosting/puter-site.js
@@ -147,6 +147,14 @@ class PuterSiteMiddleware extends AdvancedBase {
                 res.status(502).send('subdomain is pointing to non-directory');
             }
 
+            // Verify subdomain owner permission
+            const subdomain_actor = Actor.adapt(subdomain_owner);
+            const svc_acl = services.get('acl');
+            if ( ! await svc_acl.check(subdomain_actor, node, 'read') ) {
+                res.status(502).send('subdomain owner does not have access to directory');
+                return;
+            }
+
             subdomain_root_path = await node.get('path');
         }
 

Original file line number	Diff line number	Diff line change
`@@ -147,6 +147,14 @@ class PuterSiteMiddleware extends AdvancedBase {`
`147`	`147`	`res.status(502).send('subdomain is pointing to non-directory');`
`148`	`148`	`}`
`149`	`149`
	`150`	`+ // Verify subdomain owner permission`
	`151`	`+ const subdomain_actor = Actor.adapt(subdomain_owner);`
	`152`	`+ const svc_acl = services.get('acl');`
	`153`	`+ if ( ! await svc_acl.check(subdomain_actor, node, 'read') ) {`
	`154`	`+ res.status(502).send('subdomain owner does not have access to directory');`
	`155`	`+ return;`
	`156`	`+ }`
	`157`	`+`
`150`	`158`	`subdomain_root_path = await node.get('path');`
`151`	`159`	`}`
`152`	`160`