juice-shop
74 строки · 4.4 Кб
1/** Authorization **/
2/* Baskets: Unauthorized users are not allowed to access baskets */
3app.use('/rest/basket', security.isAuthorized(), security.appendUserId())
4/* BasketItems: API only accessible for authenticated users */
5app.use('/api/BasketItems', security.isAuthorized())
6app.use('/api/BasketItems/:id', security.isAuthorized())
7/* Feedbacks: GET allowed for feedback carousel, POST allowed in order to provide feedback without being logged in */
8app.use('/api/Feedbacks/:id', security.isAuthorized())
9/* Users: Only POST is allowed in order to register a new user */
10app.get('/api/Users', security.isAuthorized())
11app.route('/api/Users/:id')
12.get(security.isAuthorized())
13.put(security.denyAll())
14.delete(security.denyAll())
15/* Products: Only GET is allowed in order to view products */
16app.post('/api/Products', security.isAuthorized())
17app.put('/api/Products/:id', security.isAuthorized())
18app.delete('/api/Products/:id', security.denyAll())
19/* Challenges: GET list of challenges allowed. Everything else forbidden entirely */
20app.post('/api/Challenges', security.denyAll())
21app.use('/api/Challenges/:id', security.denyAll())
22/* Complaints: POST and GET allowed when logged in only */
23app.get('/api/Complaints', security.isAuthorized())
24app.post('/api/Complaints', security.isAuthorized())
25app.use('/api/Complaints/:id', security.denyAll())
26/* Recycles: POST and GET allowed when logged in only */
27app.get('/api/Recycles', recycles.blockRecycleItems())
28app.post('/api/Recycles', security.isAuthorized())
29/* Challenge evaluation before finale takes over */
30app.get('/api/Recycles/:id', recycles.getRecycleItem())
31app.put('/api/Recycles/:id', security.denyAll())
32app.delete('/api/Recycles/:id', security.denyAll())
33/* SecurityQuestions: Only GET list of questions allowed. */
34app.post('/api/SecurityQuestions', security.denyAll())
35app.use('/api/SecurityQuestions/:id', security.denyAll())
36/* SecurityAnswers: Only POST of answer allowed. */
37app.get('/api/SecurityAnswers', security.denyAll())
38app.use('/api/SecurityAnswers/:id', security.denyAll())
39/* REST API */
40app.use('/rest/user/authentication-details', security.isAuthorized())
41app.use('/rest/basket/:id', security.isAuthorized())
42app.use('/rest/basket/:id/order', security.isAuthorized())
43/* Unauthorized users are not allowed to access B2B API */
44app.use('/b2b/v2', security.isAuthorized())
45/* Check if the quantity is available in stock and limit per user not exceeded, then add item to basket */
46app.put('/api/BasketItems/:id', security.appendUserId(), basketItems.quantityCheckBeforeBasketItemUpdate())
47app.post('/api/BasketItems', security.appendUserId(), basketItems.quantityCheckBeforeBasketItemAddition(), basketItems.addBasketItem())
48/* Accounting users are allowed to check and update quantities */
49app.delete('/api/Quantitys/:id', security.denyAll())
50app.post('/api/Quantitys', security.denyAll())
51app.use('/api/Quantitys/:id', security.isAccounting(), ipfilter(['123.456.789'], { mode: 'allow' }))
52/* Feedbacks: Do not allow changes of existing feedback */
53app.put('/api/Feedbacks/:id', security.denyAll())
54/* PrivacyRequests: Only allowed for authenticated users */
55app.use('/api/PrivacyRequests', security.isAuthorized())
56app.use('/api/PrivacyRequests/:id', security.isAuthorized())
57/* PaymentMethodRequests: Only allowed for authenticated users */
58app.post('/api/Cards', security.appendUserId())
59app.get('/api/Cards', security.appendUserId(), payment.getPaymentMethods())
60app.put('/api/Cards/:id', security.denyAll())
61app.delete('/api/Cards/:id', security.appendUserId(), payment.delPaymentMethodById())
62app.get('/api/Cards/:id', security.appendUserId(), payment.getPaymentMethodById())
63/* PrivacyRequests: Only POST allowed for authenticated users */
64app.post('/api/PrivacyRequests', security.isAuthorized())
65app.get('/api/PrivacyRequests', security.denyAll())
66app.use('/api/PrivacyRequests/:id', security.denyAll())
67
68app.post('/api/Addresss', security.appendUserId())
69app.get('/api/Addresss', security.appendUserId(), address.getAddress())
70app.put('/api/Addresss/:id', security.appendUserId())
71app.delete('/api/Addresss/:id', security.appendUserId(), address.delAddressById())
72app.get('/api/Addresss/:id', security.appendUserId(), address.getAddressById())
73app.get('/api/Deliverys', delivery.getDeliveryMethods())
74app.get('/api/Deliverys/:id', delivery.getDeliveryMethod())