fix(auth): prevent listing sessions on readonly access

This commit is contained in:
Karol Sójko
2023-03-06 09:47:54 +01:00
parent 49b6d029c4
commit dbccdf342b
@@ -58,6 +58,10 @@ export class SessionsController extends BaseHttpController {
@httpGet('/', TYPES.AuthMiddleware, TYPES.SessionMiddleware)
async getSessions(_request: Request, response: Response): Promise<results.JsonResult> {
if (response.locals.readOnlyAccess) {
return this.json([])
}
const useCaseResponse = await this.getActiveSessionsForUser.execute({
userUuid: response.locals.user.uuid,
})