juice-shop
74 строки · 4.4 Кб
1/** Authorization **/2/* Baskets: Unauthorized users are not allowed to access baskets */3app.use('/rest/basket', security.isAuthorized(), security.appendUserId())4/* BasketItems: API only accessible for authenticated users */5app.use('/api/BasketItems', security.isAuthorized())6app.use('/api/BasketItems/:id', security.isAuthorized())7/* Feedbacks: GET allowed for feedback carousel, POST allowed in order to provide feedback without being logged in */8app.use('/api/Feedbacks/:id', security.isAuthorized())9/* Users: Only POST is allowed in order to register a new user */10app.get('/api/Users', security.isAuthorized())11app.route('/api/Users/:id')12.get(security.isAuthorized())13.put(security.denyAll())14.delete(security.denyAll())15/* Products: Only GET is allowed in order to view products */16app.post('/api/Products', security.isAuthorized())17app.put('/api/Products/:id', security.isAuthorized())18app.delete('/api/Products/:id', security.denyAll())19/* Challenges: GET list of challenges allowed. Everything else forbidden entirely */20app.post('/api/Challenges', security.denyAll())21app.use('/api/Challenges/:id', security.denyAll())22/* Complaints: POST and GET allowed when logged in only */23app.get('/api/Complaints', security.isAuthorized())24app.post('/api/Complaints', security.isAuthorized())25app.use('/api/Complaints/:id', security.denyAll())26/* Recycles: POST and GET allowed when logged in only */27app.get('/api/Recycles', recycles.blockRecycleItems())28app.post('/api/Recycles', security.isAuthorized())29/* Challenge evaluation before finale takes over */30app.get('/api/Recycles/:id', recycles.getRecycleItem())31app.put('/api/Recycles/:id', security.denyAll())32app.delete('/api/Recycles/:id', security.denyAll())33/* SecurityQuestions: Only GET list of questions allowed. */34app.post('/api/SecurityQuestions', security.denyAll())35app.use('/api/SecurityQuestions/:id', security.denyAll())36/* SecurityAnswers: Only POST of answer allowed. */37app.get('/api/SecurityAnswers', security.denyAll())38app.use('/api/SecurityAnswers/:id', security.denyAll())39/* REST API */40app.use('/rest/user/authentication-details', security.isAuthorized())41app.use('/rest/basket/:id', security.isAuthorized())42app.use('/rest/basket/:id/order', security.isAuthorized())43/* Unauthorized users are not allowed to access B2B API */44app.use('/b2b/v2', security.isAuthorized())45/* Check if the quantity is available in stock and limit per user not exceeded, then add item to basket */46app.put('/api/BasketItems/:id', security.appendUserId(), basketItems.quantityCheckBeforeBasketItemUpdate())47app.post('/api/BasketItems', security.appendUserId(), basketItems.quantityCheckBeforeBasketItemAddition(), basketItems.addBasketItem())48/* Accounting users are allowed to check and update quantities */49app.delete('/api/Quantitys/:id', security.denyAll())50app.post('/api/Quantitys', security.denyAll())51app.use('/api/Quantitys/:id', security.isAccounting(), ipfilter(['123.456.789'], { mode: 'allow' }))52/* Feedbacks: Do not allow changes of existing feedback */53app.put('/api/Feedbacks/:id', security.denyAll())54/* PrivacyRequests: Only allowed for authenticated users */55app.use('/api/PrivacyRequests', security.isAuthorized())56app.use('/api/PrivacyRequests/:id', security.isAuthorized())57/* PaymentMethodRequests: Only allowed for authenticated users */58app.post('/api/Cards', security.appendUserId())59app.get('/api/Cards', security.appendUserId(), payment.getPaymentMethods())60app.put('/api/Cards/:id', security.denyAll())61app.delete('/api/Cards/:id', security.appendUserId(), payment.delPaymentMethodById())62app.get('/api/Cards/:id', security.appendUserId(), payment.getPaymentMethodById())63/* PrivacyRequests: Only POST allowed for authenticated users */64app.post('/api/PrivacyRequests', security.isAuthorized())65app.get('/api/PrivacyRequests', security.denyAll())66app.use('/api/PrivacyRequests/:id', security.denyAll())67app.post('/api/Addresss', security.appendUserId())69app.get('/api/Addresss', security.appendUserId(), address.getAddress())70app.put('/api/Addresss/:id', security.appendUserId())71app.delete('/api/Addresss/:id', security.appendUserId(), address.delAddressById())72app.get('/api/Addresss/:id', security.appendUserId(), address.getAddressById())73app.get('/api/Deliverys', delivery.getDeliveryMethods())74app.get('/api/Deliverys/:id', delivery.getDeliveryMethod())