jeffemmett
/
rspace-online
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: enforce enabledModules check on module root path 

The sub-path middleware (/:space/:moduleId/*) already blocked disabled
modules, but the root path (/:space/:moduleId) didn't. Now both paths
consistently check enabledModules before allowing access.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jeff Emmett 2026-03-24 12:38:01 -07:00
parent 4536b5cab1
commit 7ad5666b9a
1 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
server/index.ts
View File

@ -2374,11 +2374,24 @@ for (const mod of getAllModules()) {
return next(); return next();
}); });
// Onboarding: show landing page for empty modules (root page only) // Onboarding + enabledModules check for root path (root page only)
if (mod.id !== "rspace") { if (mod.id !== "rspace") {
app.use(`/:space/${mod.id}`, async (c, next) => { app.use(`/:space/${mod.id}`, async (c, next) => {
const space = c.req.param("space"); const space = c.req.param("space");
if (!space || space === "demo" || space === "api" || space.includes(".")) return next(); if (!space || space === "api" || space.includes(".")) return next();
// Block disabled modules (same check as sub-path middleware)
await loadCommunity(space);
const spaceDoc = getDocumentData(space);
if (spaceDoc?.meta?.enabledModules && !spaceDoc.meta.enabledModules.includes(mod.id)) {
const accept = c.req.header("Accept") || "";
if (accept.includes("text/html")) {
return c.redirect(`/${space}/rspace`);
}
return c.json({ error: "Module not enabled for this space" }, 404);
}
if (space === "demo") return next();
if (c.req.method !== "GET") return next(); if (c.req.method !== "GET") return next();
const path = c.req.path; const path = c.req.path;
const root = `/${space}/${mod.id}`; const root = `/${space}/${mod.id}`;