mirror of
https://github.com/jambonz/jambonz-api-server.git
synced 2026-07-04 19:21:53 +00:00
fix(security): add authorization checks to prevent cross-account access (CWE-639) (#558)
- Add precondition support to decorate.js retrieve function - Fix google-custom-voices.js typo and add delete precondition - Check ownership via speech_credential for google-custom-voices - Add retrieve/delete preconditions to lcr-carrier-set-entries.js - Add retrieve precondition to sip-gateways.js and smpp-gateways.js - Add scope check to lcr-routes.js custom GET handler - Add full authorization to tenants.js for all CRUD operations - Add scoped query methods to tenant model Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -85,6 +85,7 @@ router.get('/:sid', async(req, res) => {
|
||||
const results = await LcrRoute.retrieve(lcr_route_sid);
|
||||
if (results.length === 0) return res.sendStatus(404);
|
||||
const route = results[0];
|
||||
await checkUserScope(req, route.lcr_sid);
|
||||
route.lcr_carrier_set_entries = await LcrCarrierSetEntry.retrieveAllByLcrRouteSid(route.lcr_route_sid);
|
||||
res.status(200).json(route);
|
||||
} catch (err) {
|
||||
|
||||
Reference in New Issue
Block a user