Permalink
October 19, 2023 16:49
October 19, 2023 16:49
October 19, 2023 16:49
October 19, 2023 16:49
October 19, 2023 16:49
October 19, 2023 16:49
October 19, 2023 16:50
October 19, 2023 16:50
October 19, 2023 16:49
Newer
100644
90 lines (79 sloc)
2.76 KB
3
export async function onRequestGet(context: RequestContext) {
4
const { searchParams } = new URL(context.request.url);
7
const showClosed = searchParams.get("showClosed") === "true";
8
const tables: { [k: string]: string } = {
9
appeal: "appeals",
10
gma: "game_appeals",
24
report: [1 << 5],
25
};
26
const { current_user: currentUser } = context.data;
27
40
/*
41
This is normally VERY BAD and can lead to injection attacks
42
However, there is no other way to do this, as using bindings for table names is unsupported apparently
43
To avoid any potential injection attacks we enforce a list of specific values and permissions for table names
44
*/
56
const item: { [k: string]: any } | null = await context.env.DATA.get(
57
`${prefix}_${id}`,
58
{
59
type: "json",
60
},
61
);
65
66
if (entryType === "inactivity") {
67
// Only include inactivity notices that a user can actually act on
68
const departments = {
69
DM: [1 << 11],
70
ET: [1 << 4, 1 << 12],
71
FM: [1 << 7],
72
WM: [1 << 6],
73
};
74
75
if (
76
!Object.entries(departments).find(
77
(dept) =>
78
item.departments.includes(dept[0]) &&
79
dept[1].find((p) => currentUser.permissions & p),
80
)
81
)
82
continue;
83
}
84
90
}