fix(Drivers): check auhorization before accepting files

NoNameProvided · NoNameProvided · commit c9a8e0e168f2 · 2017-08-13T16:00:56.000+02:00
diff --git a/src/driver/express/ExpressDriver.ts b/src/driver/express/ExpressDriver.ts
@@ -87,33 +87,21 @@ export class ExpressDriver extends BaseDriver implements Driver {
 
         // middlewares required for this action
         const defaultMiddlewares: any[] = [];
+
         if (actionMetadata.isBodyUsed) {
             if (actionMetadata.isJsonTyped) {
                 defaultMiddlewares.push(this.loadBodyParser().json(actionMetadata.bodyExtraOptions));
             } else {
                 defaultMiddlewares.push(this.loadBodyParser().text(actionMetadata.bodyExtraOptions));
             }
         }
-        if (actionMetadata.isFileUsed || actionMetadata.isFilesUsed) {
-            const multer = this.loadMulter();
-            actionMetadata.params
-                .filter(param => param.type === "file")
-                .forEach(param => {
-                    defaultMiddlewares.push(multer(param.extraOptions).single(param.name));
-                });
-            actionMetadata.params
-                .filter(param => param.type === "files")
-                .forEach(param => {
-                    defaultMiddlewares.push(multer(param.extraOptions).array(param.name));
-                });
-        }
 
         if (actionMetadata.isAuthorizedUsed) {
             defaultMiddlewares.push((request: any, response: any, next: Function) => {
                 if (!this.authorizationChecker)
                     throw new AuthorizationCheckerNotDefinedError();
 
-                const action: Action = {request, response, next};
+                const action: Action = { request, response, next };
                 const checkResult = this.authorizationChecker(action, actionMetadata.authorizedRoles);
 
                 const handleError = (result: any) => {
@@ -135,6 +123,20 @@ export class ExpressDriver extends BaseDriver implements Driver {
             });
         }
 
+        if (actionMetadata.isFileUsed || actionMetadata.isFilesUsed) {
+            const multer = this.loadMulter();
+            actionMetadata.params
+                .filter(param => param.type === "file")
+                .forEach(param => {
+                    defaultMiddlewares.push(multer(param.extraOptions).single(param.name));
+                });
+            actionMetadata.params
+                .filter(param => param.type === "files")
+                .forEach(param => {
+                    defaultMiddlewares.push(multer(param.extraOptions).array(param.name));
+                });
+        }
+
         // user used middlewares
         const uses = [...actionMetadata.controllerMetadata.uses, ...actionMetadata.uses];
         const beforeMiddlewares = this.prepareMiddlewares(uses.filter(use => !use.afterAction));
diff --git a/src/driver/koa/KoaDriver.ts b/src/driver/koa/KoaDriver.ts
@@ -69,26 +69,13 @@ export class KoaDriver extends BaseDriver implements Driver {
 
         // middlewares required for this action
         const defaultMiddlewares: any[] = [];
-        if (actionMetadata.isFileUsed || actionMetadata.isFilesUsed) {
-            const multer = this.loadMulter();
-            actionMetadata.params
-                .filter(param => param.type === "file")
-                .forEach(param => {
-                    defaultMiddlewares.push(multer(param.extraOptions).single(param.name));
-                });
-            actionMetadata.params
-                .filter(param => param.type === "files")
-                .forEach(param => {
-                    defaultMiddlewares.push(multer(param.extraOptions).array(param.name));
-                });
-        }
 
         if (actionMetadata.isAuthorizedUsed) {
             defaultMiddlewares.push((context: any, next: Function) => {
                 if (!this.authorizationChecker)
                     throw new AuthorizationCheckerNotDefinedError();
 
-                const action: Action = {request: context.request, response: context.response, context, next};
+                const action: Action = { request: context.request, response: context.response, context, next };
                 const checkResult = actionMetadata.authorizedRoles instanceof Function ?
                     getFromContainer<RoleChecker>(actionMetadata.authorizedRoles).check(action) :
                     this.authorizationChecker(action, actionMetadata.authorizedRoles);
@@ -110,6 +97,20 @@ export class KoaDriver extends BaseDriver implements Driver {
             });
         }
 
+        if (actionMetadata.isFileUsed || actionMetadata.isFilesUsed) {
+            const multer = this.loadMulter();
+            actionMetadata.params
+                .filter(param => param.type === "file")
+                .forEach(param => {
+                    defaultMiddlewares.push(multer(param.extraOptions).single(param.name));
+                });
+            actionMetadata.params
+                .filter(param => param.type === "files")
+                .forEach(param => {
+                    defaultMiddlewares.push(multer(param.extraOptions).array(param.name));
+                });
+        }
+
         // user used middlewares
         const uses = actionMetadata.controllerMetadata.uses.concat(actionMetadata.uses);
         const beforeMiddlewares = this.prepareMiddlewares(uses.filter(use => !use.afterAction));
