From ea2ed6f8146c434e6a8f39bb2ca41ec10fbad510 Mon Sep 17 00:00:00 2001
From: Rogerio Chaves <rogeriocfj@gmail.com>
Date: Sat, 2 May 2020 22:35:53 +0200
Subject: [PATCH] Block access to /pubs and /debug for non-admins, remove
 profile.debug, leave only .admin

---
 web/lib/express.js            | 24 ++++++++++++++++--------
 web/views/desktop/_header.ejs |  2 --
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/web/lib/express.js b/web/lib/express.js
index fa2b6c7..627b2bc 100644
--- a/web/lib/express.js
+++ b/web/lib/express.js
@@ -98,8 +98,7 @@ app.use(async (req, res, next) => {
     req.context.profile.id == ssb.client().id ||
     process.env.NODE_ENV != "production";
 
-  req.context.profile.debug = isRootUser;
-  req.context.profile.admin = isRootUser || mode == "standalone";
+  req.context.profile.admin = isRootUser;
 
   next();
 });
@@ -516,19 +515,25 @@ router.post("/profile/:id(*)/publish_secret", async (req, res) => {
   res.redirect(profileUrl(id));
 });
 
-router.get("/pubs", async (_req, res) => {
-  const peers = await ssb.client().gossip.peers();
-
-  res.render("desktop/pubs", { peers });
-});
-
 router.get("/pub_invite", { public: true }, async (_req, res) => {
   const invite = await ssb.client().invite.create({ uses: 1 });
 
   res.json({ invite });
 });
 
+router.get("/pubs", async (req, res) => {
+  if (!req.context.profile.admin) {
+    return res.redirect("/");
+  }
+  const peers = await ssb.client().gossip.peers();
+
+  res.render("desktop/pubs", { peers });
+});
+
 router.post("/pubs/add", async (req, res) => {
+  if (!req.context.profile.admin) {
+    return res.redirect("/");
+  }
   const inviteCode = req.body.invite_code;
 
   await ssb.client().invite.accept(inviteCode);
@@ -787,6 +792,9 @@ router.get("/syncing", (_req, res) => {
 });
 
 router.get("/debug", async (req, res) => {
+  if (!req.context.profile.admin) {
+    return res.redirect("/");
+  }
   const query = req.query || {};
 
   const entries = await queries.getAllEntries(query);
diff --git a/web/views/desktop/_header.ejs b/web/views/desktop/_header.ejs
index 6659c6e..a19b2f5 100644
--- a/web/views/desktop/_header.ejs
+++ b/web/views/desktop/_header.ejs
@@ -20,8 +20,6 @@
           <a href="/communities">Communities</a>
           <% if (context.profile.admin) { %>
             <a href="/pubs">Pubs</a>
-          <% } %>
-          <% if (context.profile.debug) { %>
             <a href="/debug">Debug</a>
           <% } %>
           <a href="https://github.com/rogeriochaves/feedless/issues" target="_blank">Feedback</a>