@@ -88,18 +88,32 @@ export class StateObject<
8888 }
8989
9090
91- getRefererRecipe ( ) {
91+ assertWikiReferer ( recipe_slug : string ) {
9292 const state = this ;
93- if ( ! state . headers . get ( " referer" ) ) return ;
94- const referer = new URL ( state . headers . get ( " referer" ) ! ) ;
93+ if ( ! state . headers . referer ) return ;
94+ const referer = new URL ( state . headers . referer ) ;
9595 // console.log("Referer", state.headers.referer, referer);
9696 if ( ! referer . pathname . startsWith ( state . pathPrefix ) )
9797 throw state . sendEmpty ( 404 , { "x-reason" : "invalid path prefix" } ) ;
9898 if ( ! referer . pathname . startsWith ( state . pathPrefix + "/wiki/" ) )
9999 return ; // keep going
100100 // we now get the recipe name from the referer
101101 const recipe_name = referer . pathname . substring ( state . pathPrefix . length + "/wiki/" . length ) ;
102- return decodeURIComponent ( recipe_name ) as PrismaField < "Recipe" , "id" > ;
102+ const referer_slug = decodeURIComponent ( recipe_name ) as PrismaField < "Recipe" , "id" > ;
103+ if ( referer_slug !== recipe_slug )
104+ throw new SendError ( "CROSS_WIKI_ACCESS_DENIED" , 403 , null ) ;
105+ }
106+
107+ assertAdminReferer ( ) {
108+ const state = this ;
109+ // referer is a voluntary header
110+ if ( ! state . headers . referer ) return ;
111+ const referer = new URL ( state . headers . referer ) ;
112+ // deny referers from outside our pathprefix
113+ if ( ! referer . pathname . startsWith ( state . pathPrefix ) )
114+ throw new SendError ( "ADMIN_ACCESS_DENIED" , 403 , null ) ;
115+ if ( referer . pathname . startsWith ( state . pathPrefix + "/wiki/" ) )
116+ throw new SendError ( "ADMIN_ACCESS_DENIED" , 403 , null ) ;
103117 }
104118
105119
0 commit comments