Fix API endpoints that were unsecured

api/images.js

@@ -1,5 +1,6 @@
 const router = require('express-promise-router')()
 const db = require('../db')
+const ensureAdmin = require('./middleware/ensureAdmin')
 
 router.get('/:uuid/:size', async (req, res) => {
   const image = await db.item.getImage(req.params.uuid, req.params.size)
@@ -8,12 +9,12 @@ router.get('/:uuid/:size', async (req, res) => {
   res.end(image.file)
 })
 
-router.post('/:uuid/featured', async (req, res) => {
+router.post('/:uuid/featured', ensureAdmin, async (req, res) => {
   const item = await db.item.setFeatured(req.params.uuid)
   res.json(item)
 })
 
-router.delete('/:uuid', async (req, res) => {
+router.delete('/:uuid', ensureAdmin, async (req, res) => {
   const item = await db.item.removeImage(req.params.uuid)
   res.json(item)
 })

api/items.js

@@ -3,6 +3,7 @@ const bodyParser = require('body-parser')
 const parseJSON = bodyParser.json()
 const b64 = require('base64-async')
 const db = require('../db')
+const ensureAdmin = require('./middleware/ensureAdmin')
 
 const validate = require('./middleware/validators')
 
@@ -15,11 +16,7 @@ const upload = require('multer')({
 })
 
 router.get('/', async (req, res) => {
-  const showUnpublished =
-    // Only respect query parameter if user is admin
-    (req.user && req.user.is_admin)
-      ? req.query.showUnpublished
-      : false
+  const showUnpublished = (req.user?.is_admin && req.query.showUnpublished) || false
 
   const items = await db.item.findAll(showUnpublished)
 
@@ -35,7 +32,7 @@ const itemValidators = [
   validate.handleApiError
 ]
 
-router.post('/', parseJSON, itemValidators, async (req, res) => {
+router.post('/', ensureAdmin, parseJSON, itemValidators, async (req, res) => {
   const item = await db.item.create(
     req.body.name,
     req.body.urlslug,
@@ -56,7 +53,7 @@ router.get('/by-slug/:slug', async (req, res) => {
   res.json(item)
 })
 
-router.post('/:uuid', parseJSON, itemValidators, async (req, res) => {
+router.post('/:uuid', ensureAdmin, parseJSON, itemValidators, async (req, res) => {
   const item = await db.item.update(
     req.params.uuid,
     req.body.name,
@@ -69,7 +66,7 @@ router.post('/:uuid', parseJSON, itemValidators, async (req, res) => {
   res.json(item)
 })
 
-router.post('/:uuid/images', upload.single('image'), bodyParser.json({limit: '5MB'}), async (req, res) => {
+router.post('/:uuid/images', ensureAdmin, upload.single('image'), bodyParser.json({limit: '5MB'}), async (req, res) => {
   // Handle either image upload body or JSON body
   try {
     if(req.file)
@@ -84,12 +81,12 @@ router.post('/:uuid/images', upload.single('image'), bodyParser.json({limit: '5M
   res.json(await db.item.findById(req.params.uuid))
 })
 
-router.post('/:uuid/publish', async (req, res) => {
+router.post('/:uuid/publish', ensureAdmin, async (req, res) => {
   const item = await db.item.publish(req.params.uuid)
   res.json(item)
 })
 
-router.post('/:uuid/unpublish', async (req, res) => {
+router.post('/:uuid/unpublish', ensureAdmin, async (req, res) => {
   const item = await db.item.unpublish(req.params.uuid)
   res.json(item)
 })

api/users.js

@@ -105,7 +105,7 @@ const changePasswordValidation = [
   validate.oldPasswordNotSame,
   validate.handleApiError
 ]
-router.put('/current/password', parseJSON, changePasswordValidation, ensureUser, async (req, res) => {
+router.put('/current/password', ensureUser, parseJSON, changePasswordValidation, async (req, res) => {
   const user = await db.user.changePassword(
     req.user.uuid,
     req.body.oldPassword,