Set HTTP method restriction on WebAPI actions

PR #17548.
This commit is contained in:
Chocobo1 2022-08-15 11:56:59 +08:00 committed by GitHub
parent 17d40855d2
commit aa6b29fe7e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 0 deletions

View file

@ -251,9 +251,11 @@ void WebApplication::doProcessRequest()
const QString action = match.captured(u"action"_qs);
const QString scope = match.captured(u"scope"_qs);
// Check public/private scope
if (!session() && !isPublicAPI(scope, action))
throw ForbiddenHTTPError();
// Find matching API
APIController *controller = nullptr;
if (session())
controller = session()->getAPIController(scope);
@ -265,6 +267,20 @@ void WebApplication::doProcessRequest()
throw NotFoundHTTPError();
}
// Filter HTTP methods
const auto allowedMethodIter = m_allowedMethod.find({scope, action});
if (allowedMethodIter == m_allowedMethod.end())
{
// by default allow both GET, POST methods
if ((m_request.method != Http::METHOD_GET) && (m_request.method != Http::METHOD_POST))
throw MethodNotAllowedHTTPError();
}
else
{
if (*allowedMethodIter != m_request.method)
throw MethodNotAllowedHTTPError();
}
DataMap data;
for (const Http::UploadedFile &torrent : request().files)
data[torrent.filename] = torrent.data;