diff --git a/packages/backend/src/routers/auth/grant-user-app.js b/packages/backend/src/routers/auth/grant-user-app.js index 3fe570fa2..ace7c67bf 100644 --- a/packages/backend/src/routers/auth/grant-user-app.js +++ b/packages/backend/src/routers/auth/grant-user-app.js @@ -44,6 +44,12 @@ module.exports = eggspress('/auth/grant-user-app', { throw APIError.create('field_missing', null, { key: 'app_uid' }); } + if ( ! req.body.permission ) { + throw APIError.create('field_missing', null, { + key: 'permission' + }); + } + const token = await svc_permission.grant_user_app_permission( actor, req.body.app_uid, req.body.permission, req.body.extra || {}, req.body.meta || {} diff --git a/packages/backend/src/routers/auth/grant-user-user.js b/packages/backend/src/routers/auth/grant-user-user.js index 43b8795f0..eba591c06 100644 --- a/packages/backend/src/routers/auth/grant-user-user.js +++ b/packages/backend/src/routers/auth/grant-user-user.js @@ -21,6 +21,12 @@ module.exports = eggspress('/auth/grant-user-user', { throw APIError.create('field_missing', null, { key: 'target_username' }); } + if ( ! req.body.permission ) { + throw APIError.create('field_missing', null, { + key: 'permission' + }); + } + await svc_permission.grant_user_user_permission( actor, req.body.target_username, req.body.permission, req.body.extra || {}, req.body.meta || {}