[helix-front] only allow guest to perform GET operations
Project: http://git-wip-us.apache.org/repos/asf/helix/repo Commit: http://git-wip-us.apache.org/repos/asf/helix/commit/874f9e63 Tree: http://git-wip-us.apache.org/repos/asf/helix/tree/874f9e63 Diff: http://git-wip-us.apache.org/repos/asf/helix/diff/874f9e63 Branch: refs/heads/master Commit: 874f9e63ecc8c60ae21973ad0bfd8c785fd32e4a Parents: b69043c Author: Vivo Xu <v...@linkedin.com> Authored: Fri Sep 29 16:39:39 2017 -0700 Committer: Junkai Xue <j...@linkedin.com> Committed: Mon Nov 6 17:08:51 2017 -0800 ---------------------------------------------------------------------- .../cluster-detail/cluster-detail.component.html | 14 ++++++-------- helix-front/server/controllers/helix.ts | 13 ++++++++++--- 2 files changed, 16 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/helix/blob/874f9e63/helix-front/client/app/cluster/cluster-detail/cluster-detail.component.html ---------------------------------------------------------------------- diff --git a/helix-front/client/app/cluster/cluster-detail/cluster-detail.component.html b/helix-front/client/app/cluster/cluster-detail/cluster-detail.component.html index f6ee7d1..fe9091a 100644 --- a/helix-front/client/app/cluster/cluster-detail/cluster-detail.component.html +++ b/helix-front/client/app/cluster/cluster-detail/cluster-detail.component.html @@ -3,11 +3,9 @@ <md-toolbar class="mat-elevation-z1"> <hi-detail-header [cluster]="clusterName"></hi-detail-header> <hi-disabled-label *ngIf="!cluster?.enabled" text="DISABLED"></hi-disabled-label> - <md-toolbar-row *ngIf="isLoading" class="information"> - <md-spinner></md-spinner> - </md-toolbar-row> - <md-toolbar-row *ngIf="!isLoading" class="information"> - <h6>Controller: + <md-toolbar-row class="information"> + <md-spinner *ngIf="isLoading"></md-spinner> + <h6 *ngIf="!isLoading">Controller: <a md-button color="accent" routerLink="controller">{{ cluster.controller }}</a> </h6> <span fxFlex="1 1 auto"></span> @@ -15,15 +13,15 @@ <md-icon>menu</md-icon> </button> <md-menu #menu="mdMenu"> - <button md-menu-item *ngIf="cluster.controller == 'No Lead Controller!'" (click)="activateCluster()"> + <button md-menu-item *ngIf="cluster?.controller == 'No Lead Controller!'" (click)="activateCluster()"> <md-icon>settings_input_antenna</md-icon> <span>Activate this Cluster</span> </button> - <button md-menu-item *ngIf="cluster.enabled" (click)="disableCluster()"> + <button md-menu-item *ngIf="cluster?.enabled" (click)="disableCluster()"> <md-icon>not_interested</md-icon> <span>Disable this Cluster</span> </button> - <button md-menu-item *ngIf="!cluster.enabled" (click)="enableCluster()"> + <button md-menu-item *ngIf="!cluster?.enabled" (click)="enableCluster()"> <md-icon>play_circle_outline</md-icon> <span>Enable this Cluster</span> </button> http://git-wip-us.apache.org/repos/asf/helix/blob/874f9e63/helix-front/server/controllers/helix.ts ---------------------------------------------------------------------- diff --git a/helix-front/server/controllers/helix.ts b/helix-front/server/controllers/helix.ts index e3c542e..bed892c 100644 --- a/helix-front/server/controllers/helix.ts +++ b/helix-front/server/controllers/helix.ts @@ -2,7 +2,7 @@ import { Request, Response, Router } from 'express'; import * as request from 'request'; -import { HELIX_ENDPOINTS } from '../config'; +import { HELIX_ENDPOINTS, IsAdmin } from '../config'; export class HelixCtrl { @@ -23,6 +23,13 @@ export class HelixCtrl { segments.shift(); const name = segments.join('.'); + const user = req.session.username; + const method = req.method.toLowerCase(); + if (method != 'get' && !IsAdmin(user)) { + res.status(403).send('Forbidden'); + return; + } + let apiPrefix = null; if (HELIX_ENDPOINTS[group]) { HELIX_ENDPOINTS[group].forEach(section => { @@ -34,11 +41,11 @@ export class HelixCtrl { if (apiPrefix) { const realUrl = apiPrefix + url.replace(`/${ helixKey }`, ''); - request[req.method.toLowerCase()]({ + request[method]({ url: realUrl, json: req.body, headers: { - 'Helix-User': req.session.username + 'Helix-User': user } }).pipe(res); } else {