fix: admin permissions + restrict nav settings

server/controllers/common.js

@@ -36,6 +36,20 @@ router.get('/healthz', (req, res, next) => {
  * Administration
  */
 router.get(['/a', '/a/*'], (req, res, next) => {
+  if (!WIKI.auth.checkAccess(req.user, [
+    'manage:system',
+    'write:users',
+    'manage:users',
+    'write:groups',
+    'manage:groups',
+    'manage:navigation',
+    'manage:theme',
+    'manage:api'
+  ])) {
+    _.set(res.locals, 'pageMeta.title', 'Unauthorized')
+    return res.render('unauthorized', { action: 'view' })
+  }
+
   _.set(res.locals, 'pageMeta.title', 'Admin')
   res.render('admin')
 })

server/graph/schemas/navigation.graphql

@@ -15,8 +15,8 @@ extend type Mutation {
 # -----------------------------------------------
 
 type NavigationQuery {
-  tree: [NavigationTree]!
-  config: NavigationConfig!
+  tree: [NavigationTree]! @auth(requires: ["manage:navigation", "manage:system"])
+  config: NavigationConfig! @auth(requires: ["manage:navigation", "manage:system"])
 }
 
 # -----------------------------------------------