Permalink
October 19, 2023 16:49
October 19, 2023 16:49
October 19, 2023 16:49
October 19, 2023 16:49
October 19, 2023 16:49
October 19, 2023 16:49
October 19, 2023 16:49
October 19, 2023 16:49
October 19, 2023 16:49
October 19, 2023 16:49
Newer
100644
79 lines (72 sloc)
2.35 KB
1
export async function onRequestGet(context: RequestContext) {
2
const { searchParams } = new URL(context.request.url);
5
const showClosed = searchParams.get("showClosed") === "true";
6
const tables: { [k: string]: string } = {
7
appeal: "appeals",
8
gma: "game_appeals",
9
report: "reports",
10
};
17
appeal: [1 << 0, 1 << 1],
18
gma: [1 << 5],
19
report: [1 << 5],
20
};
21
const { current_user: currentUser } = context.data;
22
23
if (!entryType || !types[entryType])
24
return new Response('{"error":"Invalid filter type"}', {
25
headers: {
26
"content-type": "application/json",
27
},
28
status: 400,
29
});
30
31
if (!permissions[entryType].find((p) => currentUser.permissions & p))
32
return new Response('{"error":"You cannot use this filter"}', {
33
headers: {
34
"content-type": "application/json",
35
},
36
status: 403,
37
});
38
39
if (isNaN(before) || before > Date.now())
40
return new Response('{"error":"Invalid `before` parameter"}', {
41
headers: {
42
"content-type": "application/json",
43
},
44
status: 400,
45
});
51
/*
52
This is normally VERY BAD and can lead to injection attacks
53
However, there is no other way to do this, as using bindings for table names is unsupported apparently
54
To avoid any potential injection attacks we enforce a list of specific values and permissions for table names
55
*/
67
const item = await context.env.DATA.get(`${prefix}_${id}`, {
68
type: "json",
69
});
70
71
if (item) items.push({ ...item, id });
75
headers: {
76
"content-type": "application/json",
77
},
78
});
79
}