From dbccdf342b52f81fb14f246784d5dc6def2ff3fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karol=20S=C3=B3jko?= Date: Mon, 6 Mar 2023 09:47:54 +0100 Subject: [PATCH] fix(auth): prevent listing sessions on readonly access --- packages/auth/src/Controller/SessionsController.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/packages/auth/src/Controller/SessionsController.ts b/packages/auth/src/Controller/SessionsController.ts index a7796217e..bebeab699 100644 --- a/packages/auth/src/Controller/SessionsController.ts +++ b/packages/auth/src/Controller/SessionsController.ts @@ -58,6 +58,10 @@ export class SessionsController extends BaseHttpController { @httpGet('/', TYPES.AuthMiddleware, TYPES.SessionMiddleware) async getSessions(_request: Request, response: Response): Promise { + if (response.locals.readOnlyAccess) { + return this.json([]) + } + const useCaseResponse = await this.getActiveSessionsForUser.execute({ userUuid: response.locals.user.uuid, })