Restrict config access

lib/configuration/hooks/dashboard/config/config.js

@@ -5,16 +5,53 @@
  */
 
 module.exports = function * () {
+  let user;
+  let isAdmin = false;
+
+  try {
+    user = yield strapi.api.user.services.jwt.getToken(this, true);
+
+    if (user && user.id) {
+      // Find the user in the database.
+      user = yield strapi.orm.collections.user.findOne(user.id).populate('roles');
+
+      // Check if the user has the role `admin`.
+      isAdmin = _.findWhere(user.roles, {name: 'admin'});
+      if (!isAdmin) {
+        this.status = 403;
+        this.body = {
+          message: 'You must be have the role admin to get the config of the app.'
+        };
+        return;
+      }
+    }
+  } catch (err) {
+
+  }
 
   try {
     // Init output object.
     const output = {};
 
     // Set the config.
-    output.settings = {
-      url: strapi.config.url,
-      i18n: strapi.config.i18n
-    };
+    output.settings = {};
+    output.settings.url = strapi.config.url;
+
+    // Define if the app is considered as new.
+    const userCount = yield strapi.orm.collections.user.count();
+    output.settings.isNewApp = !userCount;
+
+    // User is not connected.
+    if (!user) {
+      output.connected = false;
+      this.body = output;
+      return;
+    } else {
+      output.connected = true;
+    }
+
+    // i18n config.
+    output.settings.i18n = strapi.config.i18n;
 
     // Set the models.
     output.models = strapi.models;
@@ -36,17 +73,6 @@ module.exports = function * () {
       });
     });
 
-    // User count.
-    const promises = [];
-    promises.push(strapi.orm.collections.user.count());
-
-    // Execute promises.
-    const response = yield promises;
-
-    // Define if the app is considered as new.
-    const userCount = response[0];
-    output.settings.isNewApp = !userCount;
-
     // Finally send the result in the callback.
     this.body = output;
   } catch (err) {