juice-shop
73 строки · 4.3 Кб
1/** Authorization **/
2/* Baskets: Unauthorized users are not allowed to access baskets */
3app.use('/rest/basket', security.isAuthorized(), security.appendUserId())
4/* BasketItems: API only accessible for authenticated users */
5app.use('/api/BasketItems', security.isAuthorized())
6app.use('/api/BasketItems/:id', security.isAuthorized())
7/* Feedbacks: GET allowed for feedback carousel, POST allowed in order to provide feedback without being logged in */
8app.use('/api/Feedbacks/:id', security.isAuthorized())
9/* Users: Only POST is allowed in order to register a new user */
10app.get('/api/Users', security.isAuthorized())
11app.route('/api/Users/:id')
12.get(security.isAuthorized())
13.put(security.denyAll())
14.delete(security.denyAll())
15/* Products: Only GET is allowed in order to view products */
16app.post('/api/Products', security.isAuthorized())
17app.delete('/api/Products/:id', security.denyAll())
18/* Challenges: GET list of challenges allowed. Everything else forbidden entirely */
19app.post('/api/Challenges', security.denyAll())
20app.use('/api/Challenges/:id', security.denyAll())
21/* Complaints: POST and GET allowed when logged in only */
22app.get('/api/Complaints', security.isAuthorized())
23app.post('/api/Complaints', security.isAuthorized())
24app.use('/api/Complaints/:id', security.denyAll())
25/* Recycles: POST and GET allowed when logged in only */
26app.get('/api/Recycles', recycles.blockRecycleItems())
27app.post('/api/Recycles', security.isAuthorized())
28/* Challenge evaluation before finale takes over */
29app.get('/api/Recycles/:id', recycles.getRecycleItem())
30app.put('/api/Recycles/:id', security.denyAll())
31app.delete('/api/Recycles/:id', security.denyAll())
32/* SecurityQuestions: Only GET list of questions allowed. */
33app.post('/api/SecurityQuestions', security.denyAll())
34app.use('/api/SecurityQuestions/:id', security.denyAll())
35/* SecurityAnswers: Only POST of answer allowed. */
36app.get('/api/SecurityAnswers', security.denyAll())
37app.use('/api/SecurityAnswers/:id', security.denyAll())
38/* REST API */
39app.use('/rest/user/authentication-details', security.isAuthorized())
40app.use('/rest/basket/:id', security.isAuthorized())
41app.use('/rest/basket/:id/order', security.isAuthorized())
42/* Unauthorized users are not allowed to access B2B API */
43app.use('/b2b/v2', security.isAuthorized())
44/* Check if the quantity is available in stock and limit per user not exceeded, then add item to basket */
45app.put('/api/BasketItems/:id', security.appendUserId(), basketItems.quantityCheckBeforeBasketItemUpdate())
46app.post('/api/BasketItems', security.appendUserId(), basketItems.quantityCheckBeforeBasketItemAddition(), basketItems.addBasketItem())
47/* Accounting users are allowed to check and update quantities */
48app.delete('/api/Quantitys/:id', security.denyAll())
49app.post('/api/Quantitys', security.denyAll())
50app.use('/api/Quantitys/:id', security.isAccounting(), ipfilter(['123.456.789'], { mode: 'allow' }))
51/* Feedbacks: Do not allow changes of existing feedback */
52app.put('/api/Feedbacks/:id', security.denyAll())
53/* PrivacyRequests: Only allowed for authenticated users */
54app.use('/api/PrivacyRequests', security.isAuthorized())
55app.use('/api/PrivacyRequests/:id', security.isAuthorized())
56/* PaymentMethodRequests: Only allowed for authenticated users */
57app.post('/api/Cards', security.appendUserId())
58app.get('/api/Cards', security.appendUserId(), payment.getPaymentMethods())
59app.put('/api/Cards/:id', security.denyAll())
60app.delete('/api/Cards/:id', security.appendUserId(), payment.delPaymentMethodById())
61app.get('/api/Cards/:id', security.appendUserId(), payment.getPaymentMethodById())
62/* PrivacyRequests: Only POST allowed for authenticated users */
63app.post('/api/PrivacyRequests', security.isAuthorized())
64app.get('/api/PrivacyRequests', security.denyAll())
65app.use('/api/PrivacyRequests/:id', security.denyAll())
66
67app.post('/api/Addresss', security.appendUserId())
68app.get('/api/Addresss', security.appendUserId(), address.getAddress())
69app.put('/api/Addresss/:id', security.appendUserId())
70app.delete('/api/Addresss/:id', security.appendUserId(), address.delAddressById())
71app.get('/api/Addresss/:id', security.appendUserId(), address.getAddressById())
72app.get('/api/Deliverys', delivery.getDeliveryMethods())
73app.get('/api/Deliverys/:id', delivery.getDeliveryMethod())