fix: api security (#331)

lunary-ai · May 19, 2024 · ddfd497 · ddfd497
1 parent 0755dde
commit ddfd497
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/packages/backend/src/api/v1/template-versions.ts b/packages/backend/src/api/v1/template-versions.ts
@@ -52,14 +52,27 @@ versions.get("/latest", async (ctx: Context) => {
 })
 
 versions.get("/:id", async (ctx: Context) => {
+  const { id: versionId } = ctx.params
+  const { projectId } = ctx.state
+
   const [version] = await sql`
-    select * from template_version where id = ${ctx.params.id}
+    select
+      tv.*
+    from
+      template_version tv
+      left join template t on tv.template_id = t.id
+      left join project p on t.project_id = p.id and p.id = ${projectId}
+    where
+      tv.id = ${versionId}
   `
+  if (!version) {
+    ctx.throw(401, "You do not have access to this ressource.")
+  }
 
   version.extra = unCamelObject(version.extra)
 
   const [template] = await sql`
-    select * from template where project_id = ${ctx.state.projectId} and id = ${version.templateId}
+    select * from template where project_id = ${projectId} and id = ${version.templateId}
   `
 
   ctx.body = { ...version, template }