Address code review: fix escaping, guard nested groups, clarify error message
This commit is contained in:
parent
44ad3addf0
commit
edd5dcab70
|
|
@ -598,10 +598,10 @@ function renderLogsList(logs) {
|
|||
const li = document.createElement('li');
|
||||
li.className = 'acl-entry';
|
||||
const granted = !!log.granted;
|
||||
const cards = log.cardNumbers ? `, cards: ${log.cardNumbers}` : '';
|
||||
const cards = log.cardNumbers ? `, cards: ${escapeHtml(log.cardNumbers)}` : '';
|
||||
li.innerHTML = `
|
||||
<span class="badge type-badge" style="background:${granted ? 'var(--success)' : 'var(--danger)'};">${granted ? 'Granted' : 'Denied'}</span>
|
||||
<span class="acl-description">${escapeHtml(log.scannedAt)} — user: ${escapeHtml(log.userId || 'unknown')}${escapeHtml(cards)}</span>
|
||||
<span class="acl-description">${escapeHtml(log.scannedAt)} — user: ${escapeHtml(log.userId || 'unknown')}${cards}</span>
|
||||
`;
|
||||
list.appendChild(li);
|
||||
});
|
||||
|
|
|
|||
|
|
@ -127,6 +127,10 @@ router.get('/:placeId/:accessPointId/onScan', async (req, res) => {
|
|||
}
|
||||
const byGroup = {};
|
||||
for (const member of members) {
|
||||
// Groups can only contain direct credentials (types 0-4); the API rejects
|
||||
// nested groups on write, but skip any type 5 here too as defense-in-depth
|
||||
// against infinite recursion if the database is ever modified directly.
|
||||
if (member.type === 5) continue;
|
||||
if (!byGroup[member.groupId]) byGroup[member.groupId] = [];
|
||||
byGroup[member.groupId].push(member);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -407,7 +407,7 @@ router.post('/places/:placeId/access-groups/:groupId/members', loadOwnedPlace, l
|
|||
}
|
||||
// Groups cannot contain other groups, to avoid nested/circular resolution.
|
||||
if (parseInt(type, 10) === 5) {
|
||||
return res.status(400).json({ success: false, message: "An access group cannot contain another access group" });
|
||||
return res.status(400).json({ success: false, message: "An access group cannot contain another access group, to prevent circular/nested resolution" });
|
||||
}
|
||||
|
||||
db.run(`INSERT INTO access_group_members (groupId, type, data) VALUES (?, ?, ?)`, [req.accessGroup.id, type, data], function (err) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue