diff --git a/src/controllers/accounts/helpers.js b/src/controllers/accounts/helpers.js index 7a90930053..f3efd67285 100644 --- a/src/controllers/accounts/helpers.js +++ b/src/controllers/accounts/helpers.js @@ -107,6 +107,7 @@ helpers.getUserDataByUserSlug = function (userslug, callerUID, callback) { userData.isModerator = isModerator; userData.isAdminOrGlobalModerator = isAdmin || isGlobalModerator; userData.isAdminOrGlobalModeratorOrModerator = isAdmin || isGlobalModerator || isModerator; + userData.isSelfOrAdminOrGlobalModerator = isSelf || isAdmin || isGlobalModerator; userData.canEdit = isAdmin || (isGlobalModerator && !results.isTargetAdmin); userData.canBan = isAdmin || (isGlobalModerator && !results.isTargetAdmin); userData.canChangePassword = isAdmin || (isSelf && parseInt(meta.config['password:disableEdit'], 10) !== 1); diff --git a/src/controllers/accounts/session.js b/src/controllers/accounts/session.js index 7e31906f26..e8123820ee 100644 --- a/src/controllers/accounts/session.js +++ b/src/controllers/accounts/session.js @@ -13,13 +13,9 @@ sessionController.revoke = function (req, res, next) { } var _id; - var uid; + var uid = res.locals.uid; async.waterfall([ function (next) { - user.getUidByUserslug(req.params.userslug, next); - }, - function (_uid, next) { - uid = _uid; if (!uid) { return next(new Error('[[error:no-session-found]]')); } diff --git a/src/middleware/index.js b/src/middleware/index.js index 87fcb0a6a6..9bf02c1449 100644 --- a/src/middleware/index.js +++ b/src/middleware/index.js @@ -49,8 +49,16 @@ middleware.authenticate = function (req, res, next) { controllers.helpers.notAllowed(req, res); }; -middleware.ensureGlobalPrivilege = function (req, res, next) { +middleware.ensureSelfOrGlobalPrivilege = function (req, res, next) { + /* + The "self" part of this middleware hinges on you having used + middleware.exposeUid prior to invoking this middleware. + */ if (req.user) { + if (req.user.uid === res.locals.uid) { + return next(); + } + user.isAdminOrGlobalMod(req.uid, function (err, ok) { if (err) { return next(err); diff --git a/src/routes/accounts.js b/src/routes/accounts.js index 118a613112..ae80b8aa4a 100644 --- a/src/routes/accounts.js +++ b/src/routes/accounts.js @@ -28,7 +28,7 @@ module.exports = function (app, middleware, controllers) { setupPageRoute(app, '/user/:userslug/info', middleware, accountMiddlewares, controllers.accounts.info.get); setupPageRoute(app, '/user/:userslug/settings', middleware, accountMiddlewares, controllers.accounts.settings.get); - app.delete('/api/user/:userslug/session/:uuid', [middleware.ensureGlobalPrivilege], controllers.accounts.session.revoke); + app.delete('/api/user/:userslug/session/:uuid', [middleware.exposeUid, middleware.ensureSelfOrGlobalPrivilege], controllers.accounts.session.revoke); setupPageRoute(app, '/notifications', middleware, [middleware.authenticate], controllers.accounts.notifications.get); setupPageRoute(app, '/user/:userslug/chats/:roomid?', middleware, middlewares, controllers.accounts.chats.get); diff --git a/test/controllers.js b/test/controllers.js index 1f31e0a037..1d1d12f39b 100644 --- a/test/controllers.js +++ b/test/controllers.js @@ -533,8 +533,8 @@ describe('Controllers', function () { } }, function (err, res, body) { assert.ifError(err); - assert.equal(res.statusCode, 500); - assert.equal(body, '[[error:no-session-found]]'); + assert.equal(res.statusCode, 403); + assert.equal(body, '{"path":"/user/doesnotexist/session/1112233","loggedIn":true,"title":"[[global:403.title]]"}'); done(); }); });