hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(writeapi): calls to profile editing routes 200 even if user DNE

Browse Source
v1.18.x
Julian Lam 4 years ago
parent 7757f965eb
commit 8e7baac6ef
2 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File

9
src/middleware/assert.js
Unescape Escape View File

@ -5,12 +5,21 @@
* payload and throw an error otherwise.
*/
const user = require('../user');
const groups = require('../groups');
const topics = require('../topics');
const helpers = require('../controllers/helpers');
module.exports = function (middleware) {
middleware.assertUser = async (req, res, next) => {
if (!await user.exists(req.params.uid)) {
return helpers.formatApiResponse(404, res, new Error('[[error:no-user]]'));
}
next();
};
middleware.assertGroup = async (req, res, next) => {
const name = await groups.getGroupNameByGroupSlug(req.params.slug);
if (!name || await groups.exists(name)) {

14
src/routes/write/users.js
Unescape Escape View File

@ -18,16 +18,16 @@ function authenticatedRoutes() {
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['username']), middleware.isAdmin], 'post', controllers.write.users.create);
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['uids']), middleware.isAdmin, middleware.exposePrivileges], 'delete', controllers.write.users.deleteMany);
setupApiRoute(router, '/:uid', middleware, [...middlewares], 'put', controllers.write.users.update);
setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.exposePrivileges], 'delete', controllers.write.users.delete);
setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assertUser], 'put', controllers.write.users.update);
setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'delete', controllers.write.users.delete);
setupApiRoute(router, '/:uid/password', middleware, [...middlewares, middleware.checkRequired.bind(null, ['newPassword'])], 'put', controllers.write.users.changePassword);
setupApiRoute(router, '/:uid/password', middleware, [...middlewares, middleware.checkRequired.bind(null, ['newPassword']), middleware.assertUser], 'put', controllers.write.users.changePassword);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares], 'put', controllers.write.users.follow);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares], 'delete', controllers.write.users.unfollow);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assertUser], 'put', controllers.write.users.follow);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assertUser], 'delete', controllers.write.users.unfollow);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.exposePrivileges], 'put', controllers.write.users.ban);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.exposePrivileges], 'delete', controllers.write.users.unban);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'put', controllers.write.users.ban);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'delete', controllers.write.users.unban);
/**
* Chat routes were not migrated because chats may get refactored... also the logic is derpy

Write Preview
Loading…
Cancel
Save