From 4f16dd0c81d3aa4e60f337e573895192ae6a7f83 Mon Sep 17 00:00:00 2001
From: NGPixel <github@ngpixel.com>
Date: Sun, 19 Jul 2020 15:26:51 -0400
Subject: [PATCH] fix: admin permissions + restrict nav settings

---
 server/controllers/common.js            | 14 ++++++++++++++
 server/graph/schemas/navigation.graphql |  4 ++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/server/controllers/common.js b/server/controllers/common.js
index d1879dfe..338ae5fe 100644
--- a/server/controllers/common.js
+++ b/server/controllers/common.js
@@ -36,6 +36,20 @@ router.get('/healthz', (req, res, next) => {
  * Administration
  */
 router.get(['/a', '/a/*'], (req, res, next) => {
+  if (!WIKI.auth.checkAccess(req.user, [
+    'manage:system',
+    'write:users',
+    'manage:users',
+    'write:groups',
+    'manage:groups',
+    'manage:navigation',
+    'manage:theme',
+    'manage:api'
+  ])) {
+    _.set(res.locals, 'pageMeta.title', 'Unauthorized')
+    return res.render('unauthorized', { action: 'view' })
+  }
+
   _.set(res.locals, 'pageMeta.title', 'Admin')
   res.render('admin')
 })
diff --git a/server/graph/schemas/navigation.graphql b/server/graph/schemas/navigation.graphql
index ab9281af..26ef9a9c 100644
--- a/server/graph/schemas/navigation.graphql
+++ b/server/graph/schemas/navigation.graphql
@@ -15,8 +15,8 @@ extend type Mutation {
 # -----------------------------------------------
 
 type NavigationQuery {
-  tree: [NavigationTree]!
-  config: NavigationConfig!
+  tree: [NavigationTree]! @auth(requires: ["manage:navigation", "manage:system"])
+  config: NavigationConfig! @auth(requires: ["manage:navigation", "manage:system"])
 }
 
 # -----------------------------------------------