From 5223d5ec79563e56fb8efeec492a85bbe0253000 Mon Sep 17 00:00:00 2001
From: Fredrik Vedvik <fredrik@vedvik.tech>
Date: Tue, 27 Feb 2024 11:42:34 +0100
Subject: [PATCH] add perm filter

---
 server/api/files/upload/[destination].post.ts | 16 ++++++++++++++--
 server/api/vx/[id]/preview.get.ts             | 12 ++++++++++++
 server/api/vx/[id]/transcription.get.ts       | 12 ++++++++++++
 3 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/server/api/files/upload/[destination].post.ts b/server/api/files/upload/[destination].post.ts
index e05965a..91d38f6 100644
--- a/server/api/files/upload/[destination].post.ts
+++ b/server/api/files/upload/[destination].post.ts
@@ -1,6 +1,18 @@
 import { IncomingForm } from "formidable";
 
-export default defineEventHandler((event) => {
+export default defineEventHandler(async (event) => {
+    const email = getHeader(event, "x-token-user-email");
+    if (!email) {
+        setResponseStatus(event, 401);
+        return;
+    }
+
+    const perms = await getPermissions(email);
+    if (!perms?.admin) {
+        setResponseStatus(event, 403);
+        return;
+    }
+
     const destination = getRouterParam(event, "destination");
     if (!destination) {
         return;
@@ -20,7 +32,7 @@ export default defineEventHandler((event) => {
         createDirsFromUploads: true,
     });
 
-    return new Promise((resolve, reject) => {
+    await new Promise((resolve, reject) => {
         form.parse(event.node.req, (err, fields, files) => {
             if (err) {
                 reject(err);
diff --git a/server/api/vx/[id]/preview.get.ts b/server/api/vx/[id]/preview.get.ts
index ccaef7a..e995093 100644
--- a/server/api/vx/[id]/preview.get.ts
+++ b/server/api/vx/[id]/preview.get.ts
@@ -1,4 +1,16 @@
 export default defineEventHandler(async (event) => {
+    const email = getHeader(event, "x-token-user-email");
+    if (!email) {
+        setResponseStatus(event, 401);
+        return;
+    }
+
+    const perms = await getPermissions(email);
+    if (!perms?.admin) {
+        setResponseStatus(event, 403);
+        return;
+    }
+
     const id = getRouterParam(event, "id");
 
     const config = useRuntimeConfig().api.cantemo;
diff --git a/server/api/vx/[id]/transcription.get.ts b/server/api/vx/[id]/transcription.get.ts
index 07633ea..1e3c6e6 100644
--- a/server/api/vx/[id]/transcription.get.ts
+++ b/server/api/vx/[id]/transcription.get.ts
@@ -1,4 +1,16 @@
 export default defineEventHandler(async (event) => {
+    const email = getHeader(event, "x-token-user-email");
+    if (!email) {
+        setResponseStatus(event, 401);
+        return;
+    }
+
+    const perms = await getPermissions(email);
+    if (!perms?.admin) {
+        setResponseStatus(event, 403);
+        return;
+    }
+
     const id = getRouterParam(event, "id");
 
     const config = useRuntimeConfig().api.cantemo;