2024-06-10 20:20:25 +03:00
|
|
|
import { Audit, AuditAction } from '$lib/server/audit';
|
2024-06-01 14:42:08 +03:00
|
|
|
import { Users } from '$lib/server/users/index.js';
|
2024-06-09 11:42:01 +03:00
|
|
|
import { hasPrivileges } from '$lib/utils.js';
|
2024-06-01 14:42:08 +03:00
|
|
|
import { error, redirect } from '@sveltejs/kit';
|
|
|
|
|
|
2024-06-10 20:20:25 +03:00
|
|
|
export const load = async ({ url, locals, ...event }) => {
|
2024-06-01 14:42:08 +03:00
|
|
|
const userInfo = locals.session.data?.user;
|
|
|
|
|
const currentUser = await Users.getBySession(userInfo);
|
|
|
|
|
if (!userInfo || !currentUser) {
|
|
|
|
|
await locals.session.destroy();
|
|
|
|
|
return redirect(301, `/login?redirectTo=${encodeURIComponent(url.pathname)}`);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Only users with 'admin' privilege can access
|
|
|
|
|
const privileges = await Users.getUserPrivileges(currentUser);
|
2024-06-09 11:42:01 +03:00
|
|
|
if (!hasPrivileges(privileges, ['admin', 'self:oauth2'])) {
|
2024-06-10 20:20:25 +03:00
|
|
|
await Audit.insertRequest(
|
|
|
|
|
AuditAction.MALICIOUS_REQUEST,
|
|
|
|
|
event,
|
|
|
|
|
currentUser,
|
|
|
|
|
`unauthorized direct admin access\nurl=${url.toString()}`
|
|
|
|
|
);
|
|
|
|
|
|
2024-06-01 14:42:08 +03:00
|
|
|
return error(404, 'Not Found');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return {
|
2024-06-01 18:50:36 +03:00
|
|
|
renderrt: Date.now(),
|
2024-06-01 14:42:08 +03:00
|
|
|
user: {
|
|
|
|
|
...userInfo,
|
|
|
|
|
privileges
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
};
|
