mirror of
https://github.com/standardnotes/server
synced 2026-07-14 00:01:54 -04:00
fix(auth): prevent listing sessions on readonly access
This commit is contained in:
@@ -58,6 +58,10 @@ export class SessionsController extends BaseHttpController {
|
||||
|
||||
@httpGet('/', TYPES.AuthMiddleware, TYPES.SessionMiddleware)
|
||||
async getSessions(_request: Request, response: Response): Promise<results.JsonResult> {
|
||||
if (response.locals.readOnlyAccess) {
|
||||
return this.json([])
|
||||
}
|
||||
|
||||
const useCaseResponse = await this.getActiveSessionsForUser.execute({
|
||||
userUuid: response.locals.user.uuid,
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user