juice-shop
73 строки · 4.3 Кб
1/** Authorization **/2/* Baskets: Unauthorized users are not allowed to access baskets */3app.use('/rest/basket', security.isAuthorized(), security.appendUserId())4/* BasketItems: API only accessible for authenticated users */5app.use('/api/BasketItems', security.isAuthorized())6app.use('/api/BasketItems/:id', security.isAuthorized())7/* Feedbacks: GET allowed for feedback carousel, POST allowed in order to provide feedback without being logged in */8app.use('/api/Feedbacks/:id', security.isAuthorized())9/* Users: Only POST is allowed in order to register a new user */10app.get('/api/Users', security.isAuthorized())11app.route('/api/Users/:id')12.get(security.isAuthorized())13.put(security.denyAll())14.delete(security.denyAll())15/* Products: Only GET is allowed in order to view products */16app.post('/api/Products', security.isAuthorized())17app.delete('/api/Products/:id', security.denyAll())18/* Challenges: GET list of challenges allowed. Everything else forbidden entirely */19app.post('/api/Challenges', security.denyAll())20app.use('/api/Challenges/:id', security.denyAll())21/* Complaints: POST and GET allowed when logged in only */22app.get('/api/Complaints', security.isAuthorized())23app.post('/api/Complaints', security.isAuthorized())24app.use('/api/Complaints/:id', security.denyAll())25/* Recycles: POST and GET allowed when logged in only */26app.get('/api/Recycles', recycles.blockRecycleItems())27app.post('/api/Recycles', security.isAuthorized())28/* Challenge evaluation before finale takes over */29app.get('/api/Recycles/:id', recycles.getRecycleItem())30app.put('/api/Recycles/:id', security.denyAll())31app.delete('/api/Recycles/:id', security.denyAll())32/* SecurityQuestions: Only GET list of questions allowed. */33app.post('/api/SecurityQuestions', security.denyAll())34app.use('/api/SecurityQuestions/:id', security.denyAll())35/* SecurityAnswers: Only POST of answer allowed. */36app.get('/api/SecurityAnswers', security.denyAll())37app.use('/api/SecurityAnswers/:id', security.denyAll())38/* REST API */39app.use('/rest/user/authentication-details', security.isAuthorized())40app.use('/rest/basket/:id', security.isAuthorized())41app.use('/rest/basket/:id/order', security.isAuthorized())42/* Unauthorized users are not allowed to access B2B API */43app.use('/b2b/v2', security.isAuthorized())44/* Check if the quantity is available in stock and limit per user not exceeded, then add item to basket */45app.put('/api/BasketItems/:id', security.appendUserId(), basketItems.quantityCheckBeforeBasketItemUpdate())46app.post('/api/BasketItems', security.appendUserId(), basketItems.quantityCheckBeforeBasketItemAddition(), basketItems.addBasketItem())47/* Accounting users are allowed to check and update quantities */48app.delete('/api/Quantitys/:id', security.denyAll())49app.post('/api/Quantitys', security.denyAll())50app.use('/api/Quantitys/:id', security.isAccounting(), ipfilter(['123.456.789'], { mode: 'allow' }))51/* Feedbacks: Do not allow changes of existing feedback */52app.put('/api/Feedbacks/:id', security.denyAll())53/* PrivacyRequests: Only allowed for authenticated users */54app.use('/api/PrivacyRequests', security.isAuthorized())55app.use('/api/PrivacyRequests/:id', security.isAuthorized())56/* PaymentMethodRequests: Only allowed for authenticated users */57app.post('/api/Cards', security.appendUserId())58app.get('/api/Cards', security.appendUserId(), payment.getPaymentMethods())59app.put('/api/Cards/:id', security.denyAll())60app.delete('/api/Cards/:id', security.appendUserId(), payment.delPaymentMethodById())61app.get('/api/Cards/:id', security.appendUserId(), payment.getPaymentMethodById())62/* PrivacyRequests: Only POST allowed for authenticated users */63app.post('/api/PrivacyRequests', security.isAuthorized())64app.get('/api/PrivacyRequests', security.denyAll())65app.use('/api/PrivacyRequests/:id', security.denyAll())66app.post('/api/Addresss', security.appendUserId())68app.get('/api/Addresss', security.appendUserId(), address.getAddress())69app.put('/api/Addresss/:id', security.appendUserId())70app.delete('/api/Addresss/:id', security.appendUserId(), address.delAddressById())71app.get('/api/Addresss/:id', security.appendUserId(), address.getAddressById())72app.get('/api/Deliverys', delivery.getDeliveryMethods())73app.get('/api/Deliverys/:id', delivery.getDeliveryMethod())