hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/NodeBB/NodeBB

Browse Source
v1.18.x
Barış Soner Uşaklı 5 years ago
parent 8ae1f81cf4 77481947f0
commit 081c4fa6d4
3 changed files with 8 additions and 60 deletions
Show Stats Download Patch File Download Diff File

13
src/api/users.js
Unescape Escape View File

@ -13,21 +13,19 @@ usersAPI.create = async function (caller, data) {
}; };
usersAPI.update = async function (caller, data) { usersAPI.update = async function (caller, data) {
const targetUid = caller.params ? caller.params.uid : data.uid; const oldUserData = await user.getUserFields(data.uid, ['email', 'username']);
const oldUserData = await user.getUserFields(targetUid, ['email', 'username']);
if (!oldUserData || !oldUserData.username) { if (!oldUserData || !oldUserData.username) {
throw new Error('[[error:invalid-data]]'); throw new Error('[[error:invalid-data]]');
} }
const [isAdminOrGlobalMod, canEdit, passwordMatch] = await Promise.all([ const [isAdminOrGlobalMod, canEdit, passwordMatch] = await Promise.all([
user.isAdminOrGlobalMod(caller.uid), user.isAdminOrGlobalMod(caller.uid),
privileges.users.canEdit(caller.uid, targetUid), privileges.users.canEdit(caller.uid, data.uid),
data.password ? user.isPasswordCorrect(targetUid, data.password, caller.ip) : false, data.password ? user.isPasswordCorrect(data.uid, data.password, caller.ip) : false,
]); ]);
// Changing own email/username requires password confirmation // Changing own email/username requires password confirmation
if (caller.uid === targetUid && !passwordMatch) { if (['email', 'username'].some(prop => Object.keys(data).includes(prop)) && !isAdminOrGlobalMod && caller.uid === data.uid && !passwordMatch) {
throw new Error('[[error:invalid-password]]'); throw new Error('[[error:invalid-password]]');
} }
@ -43,14 +41,13 @@ usersAPI.update = async function (caller, data) {
data.email = oldUserData.email; data.email = oldUserData.email;
} }
data.uid = targetUid; // The `uid` argument in `updateProfile` refers to calling user, not target user
await user.updateProfile(caller.uid, data); await user.updateProfile(caller.uid, data);
const userData = await user.getUserData(data.uid); const userData = await user.getUserData(data.uid);
async function log(type, eventData) { async function log(type, eventData) {
eventData.type = type; eventData.type = type;
eventData.uid = caller.uid; eventData.uid = caller.uid;
eventData.targetUid = targetUid; eventData.targetUid = data.uid;
eventData.ip = caller.ip; eventData.ip = caller.ip;
await events.log(eventData); await events.log(eventData);
} }

2
src/controllers/write/users.js
Unescape Escape View File

@ -24,7 +24,7 @@ Users.create = async (req, res) => {
}; };
Users.update = async (req, res) => { Users.update = async (req, res) => {
const userObj = await api.users.update(req, req.body); const userObj = await api.users.update(req, { ...req.body, ...req.params });
helpers.formatApiResponse(200, res, userObj); helpers.formatApiResponse(200, res, userObj);
}; };

53
src/socket.io/user/profile.js
Unescape Escape View File

@ -2,10 +2,9 @@
const winston = require('winston'); const winston = require('winston');
const api = require('../../api');
const user = require('../../user'); const user = require('../../user');
const meta = require('../../meta');
const events = require('../../events'); const events = require('../../events');
const privileges = require('../../privileges');
const notifications = require('../../notifications'); const notifications = require('../../notifications');
const db = require('../../database'); const db = require('../../database');
const plugins = require('../../plugins'); const plugins = require('../../plugins');
@ -98,55 +97,7 @@ module.exports = function (SocketUser) {
SocketUser.updateProfile = async function (socket, data) { SocketUser.updateProfile = async function (socket, data) {
sockets.warnDeprecated(socket, 'PUT /api/v3/users/:uid'); sockets.warnDeprecated(socket, 'PUT /api/v3/users/:uid');
return await api.users.update(socket, data);
if (!socket.uid) {
throw new Error('[[error:invalid-uid]]');
}
if (!data || !data.uid) {
throw new Error('[[error:invalid-data]]');
}
const oldUserData = await user.getUserFields(data.uid, ['email', 'username']);
if (!oldUserData || !oldUserData.username) {
throw new Error('[[error:invalid-data]]');
}
const [isAdminOrGlobalMod, canEdit] = await Promise.all([
user.isAdminOrGlobalMod(socket.uid),
privileges.users.canEdit(socket.uid, data.uid),
]);
if (!canEdit) {
throw new Error('[[error:no-privileges]]');
}
if (!isAdminOrGlobalMod && meta.config['username:disableEdit']) {
data.username = oldUserData.username;
}
if (!isAdminOrGlobalMod && meta.config['email:disableEdit']) {
data.email = oldUserData.email;
}
const userData = await user.updateProfile(socket.uid, data);
async function log(type, eventData) {
eventData.type = type;
eventData.uid = socket.uid;
eventData.targetUid = data.uid;
eventData.ip = socket.ip;
await events.log(eventData);
}
if (userData.email !== oldUserData.email) {
await log('email-change', { oldEmail: oldUserData.email, newEmail: userData.email });
}
if (userData.username !== oldUserData.username) {
await log('username-change', { oldUsername: oldUserData.username, newUsername: userData.username });
}
return userData;
}; };
SocketUser.toggleBlock = async function (socket, data) { SocketUser.toggleBlock = async function (socket, data) {

Write Preview
Loading…
Cancel
Save