Merge pull request #341 from Amsterdam/bugfix/block-api-calls-to-othe…

…r-sites Block api calls to other sites - related ticket https://trello.com/c/…
openstad · Aug 22, 2022 · f662f6e · f662f6e
2 parents aa8c321 + 6e44f61
commit f662f6e
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/packages/cms/lib/modules/api-proxy/index.js b/packages/cms/lib/modules/api-proxy/index.js
@@ -21,6 +21,15 @@ module.exports = {
             pathRewrite: {['^' + apiPath]: '/api'},
             onProxyReq: (proxyReq, req, res) => {
 
+                const siteId = req.data.global.siteId;
+                let path = req.path;
+                let match = path.match(/\/api\/site\/(\d+)\/?/);
+                if (match && match[1] != siteId) {
+                    return res.status(403).json({
+                        'message' : self.apos.i18n.__('The api call is for another site')
+                    });
+                }
+
                 /**
                  * Validate the request with captcha if send by a form
                  */