hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor: middleware.assert.*

Browse Source
v1.18.x
Julian Lam 4 years ago
parent 41f55b7a5a
commit 8ecef7b891
7 changed files with 93 additions and 93 deletions
Show Stats Download Patch File Download Diff File

114
src/middleware/assert.js
Unescape Escape View File

@ -19,60 +19,60 @@ const posts = require('../posts');
const helpers = require('./helpers');
const controllerHelpers = require('../controllers/helpers');
module.exports = function (middleware) {
middleware.assertUser = helpers.try(async (req, res, next) => {
if (!await user.exists(req.params.uid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-user]]'));
}
next();
});
middleware.assertGroup = helpers.try(async (req, res, next) => {
const name = await groups.getGroupNameByGroupSlug(req.params.slug);
if (!name || !await groups.exists(name)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-group]]'));
}
next();
});
middleware.assertTopic = helpers.try(async (req, res, next) => {
if (!await topics.exists(req.params.tid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
}
next();
});
middleware.assertPost = helpers.try(async (req, res, next) => {
if (!await posts.exists(req.params.pid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
}
next();
});
middleware.assertPath = helpers.try(async (req, res, next) => {
// file: URL support
if (req.body.path.startsWith('file:///')) {
req.body.path = new URL(req.body.path).pathname;
}
// Checks file exists and is within bounds of upload_path
const pathToFile = path.join(nconf.get('upload_path'), req.body.path);
res.locals.cleanedPath = pathToFile;
if (!pathToFile.startsWith(nconf.get('upload_path'))) {
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
}
try {
await fsPromises.access(pathToFile, fs.constants.F_OK);
} catch (e) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]'));
}
next();
});
};
const Assert = module.exports;
Assert.user = helpers.try(async (req, res, next) => {
if (!await user.exists(req.params.uid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-user]]'));
}
next();
});
Assert.group = helpers.try(async (req, res, next) => {
const name = await groups.getGroupNameByGroupSlug(req.params.slug);
if (!name || !await groups.exists(name)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-group]]'));
}
next();
});
Assert.topic = helpers.try(async (req, res, next) => {
if (!await topics.exists(req.params.tid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
}
next();
});
Assert.post = helpers.try(async (req, res, next) => {
if (!await posts.exists(req.params.pid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
}
next();
});
Assert.path = helpers.try(async (req, res, next) => {
// file: URL support
if (req.body.path.startsWith('file:///')) {
req.body.path = new URL(req.body.path).pathname;
}
// Checks file exists and is within bounds of upload_path
const pathToFile = path.join(nconf.get('upload_path'), req.body.path);
res.locals.cleanedPath = pathToFile;
if (!pathToFile.startsWith(nconf.get('upload_path'))) {
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
}
try {
await fsPromises.access(pathToFile, fs.constants.F_OK);
} catch (e) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]'));
}
next();
});

2
src/middleware/index.js
Unescape Escape View File

@ -60,7 +60,7 @@ require('./maintenance')(middleware);
require('./user')(middleware);
require('./headers')(middleware);
require('./expose')(middleware);
require('./assert')(middleware);
middleware.assert = require('./assert');
middleware.stripLeadingSlashes = function stripLeadingSlashes(req, res, next) {
var target = req.originalUrl.replace(nconf.get('relative_path'), '');

4
src/routes/write/files.js
Unescape Escape View File

@ -10,8 +10,8 @@ const setupApiRoute = routeHelpers.setupApiRoute;
module.exports = function () {
const middlewares = [middleware.authenticate];
// setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['path']), middleware.assertFolder], 'put', controllers.write.files.upload);
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['path']), middleware.assertPath], 'delete', controllers.write.files.delete);
// setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['path']), middleware.assert.folder], 'put', controllers.write.files.upload);
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['path']), middleware.assert.path], 'delete', controllers.write.files.delete);
return router;
};

6
src/routes/write/groups.js
Unescape Escape View File

@ -11,9 +11,9 @@ module.exports = function () {
const middlewares = [middleware.authenticate];
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['name']), middleware.exposePrivilegeSet], 'post', controllers.write.groups.create);
setupApiRoute(router, '/:slug', middleware, [...middlewares, middleware.assertGroup, middleware.exposePrivileges], 'delete', controllers.write.groups.delete);
setupApiRoute(router, '/:slug/membership/:uid', middleware, [...middlewares, middleware.assertGroup, middleware.exposePrivileges], 'put', controllers.write.groups.join);
setupApiRoute(router, '/:slug/membership/:uid', middleware, [...middlewares, middleware.assertGroup, middleware.exposePrivileges], 'delete', controllers.write.groups.leave);
setupApiRoute(router, '/:slug', middleware, [...middlewares, middleware.assert.group, middleware.exposePrivileges], 'delete', controllers.write.groups.delete);
setupApiRoute(router, '/:slug/membership/:uid', middleware, [...middlewares, middleware.assert.group, middleware.exposePrivileges], 'put', controllers.write.groups.join);
setupApiRoute(router, '/:slug/membership/:uid', middleware, [...middlewares, middleware.assert.group, middleware.exposePrivileges], 'delete', controllers.write.groups.leave);
return router;
};

14
src/routes/write/posts.js
Unescape Escape View File

@ -11,16 +11,16 @@ module.exports = function () {
const middlewares = [middleware.authenticate];
setupApiRoute(router, '/:pid', middleware, [...middlewares, middleware.checkRequired.bind(null, ['content'])], 'put', controllers.write.posts.edit);
setupApiRoute(router, '/:pid', middleware, [...middlewares, middleware.assertPost], 'delete', controllers.write.posts.purge);
setupApiRoute(router, '/:pid', middleware, [...middlewares, middleware.assert.post], 'delete', controllers.write.posts.purge);
setupApiRoute(router, '/:pid/state', middleware, [...middlewares, middleware.assertPost], 'put', controllers.write.posts.restore);
setupApiRoute(router, '/:pid/state', middleware, [...middlewares, middleware.assertPost], 'delete', controllers.write.posts.delete);
setupApiRoute(router, '/:pid/state', middleware, [...middlewares, middleware.assert.post], 'put', controllers.write.posts.restore);
setupApiRoute(router, '/:pid/state', middleware, [...middlewares, middleware.assert.post], 'delete', controllers.write.posts.delete);
setupApiRoute(router, '/:pid/vote', middleware, [...middlewares, middleware.checkRequired.bind(null, ['delta']), middleware.assertPost], 'put', controllers.write.posts.vote);
setupApiRoute(router, '/:pid/vote', middleware, [...middlewares, middleware.assertPost], 'delete', controllers.write.posts.unvote);
setupApiRoute(router, '/:pid/vote', middleware, [...middlewares, middleware.checkRequired.bind(null, ['delta']), middleware.assert.post], 'put', controllers.write.posts.vote);
setupApiRoute(router, '/:pid/vote', middleware, [...middlewares, middleware.assert.post], 'delete', controllers.write.posts.unvote);
setupApiRoute(router, '/:pid/bookmark', middleware, [...middlewares, middleware.assertPost], 'put', controllers.write.posts.bookmark);
setupApiRoute(router, '/:pid/bookmark', middleware, [...middlewares, middleware.assertPost], 'delete', controllers.write.posts.unbookmark);
setupApiRoute(router, '/:pid/bookmark', middleware, [...middlewares, middleware.assert.post], 'put', controllers.write.posts.bookmark);
setupApiRoute(router, '/:pid/bookmark', middleware, [...middlewares, middleware.assert.post], 'delete', controllers.write.posts.unbookmark);
return router;
};

28
src/routes/write/topics.js
Unescape Escape View File

@ -11,25 +11,25 @@ module.exports = function () {
const middlewares = [middleware.authenticate];
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['cid', 'title', 'content'])], 'post', controllers.write.topics.create);
setupApiRoute(router, '/:tid', middleware, [...middlewares, middleware.checkRequired.bind(null, ['content']), middleware.assertTopic], 'post', controllers.write.topics.reply);
setupApiRoute(router, '/:tid', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.purge);
setupApiRoute(router, '/:tid', middleware, [...middlewares, middleware.checkRequired.bind(null, ['content']), middleware.assert.topic], 'post', controllers.write.topics.reply);
setupApiRoute(router, '/:tid', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.purge);
setupApiRoute(router, '/:tid/state', middleware, [...middlewares, middleware.assertTopic], 'put', controllers.write.topics.restore);
setupApiRoute(router, '/:tid/state', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.delete);
setupApiRoute(router, '/:tid/state', middleware, [...middlewares, middleware.assert.topic], 'put', controllers.write.topics.restore);
setupApiRoute(router, '/:tid/state', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.delete);
setupApiRoute(router, '/:tid/pin', middleware, [...middlewares, middleware.assertTopic], 'put', controllers.write.topics.pin);
setupApiRoute(router, '/:tid/pin', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.unpin);
setupApiRoute(router, '/:tid/pin', middleware, [...middlewares, middleware.assert.topic], 'put', controllers.write.topics.pin);
setupApiRoute(router, '/:tid/pin', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.unpin);
setupApiRoute(router, '/:tid/lock', middleware, [...middlewares, middleware.assertTopic], 'put', controllers.write.topics.lock);
setupApiRoute(router, '/:tid/lock', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.unlock);
setupApiRoute(router, '/:tid/lock', middleware, [...middlewares, middleware.assert.topic], 'put', controllers.write.topics.lock);
setupApiRoute(router, '/:tid/lock', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.unlock);
setupApiRoute(router, '/:tid/follow', middleware, [...middlewares, middleware.assertTopic], 'put', controllers.write.topics.follow);
setupApiRoute(router, '/:tid/follow', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.unfollow);
setupApiRoute(router, '/:tid/ignore', middleware, [...middlewares, middleware.assertTopic], 'put', controllers.write.topics.ignore);
setupApiRoute(router, '/:tid/ignore', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.unfollow); // intentional, unignore == unfollow
setupApiRoute(router, '/:tid/follow', middleware, [...middlewares, middleware.assert.topic], 'put', controllers.write.topics.follow);
setupApiRoute(router, '/:tid/follow', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.unfollow);
setupApiRoute(router, '/:tid/ignore', middleware, [...middlewares, middleware.assert.topic], 'put', controllers.write.topics.ignore);
setupApiRoute(router, '/:tid/ignore', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.unfollow); // intentional, unignore == unfollow
setupApiRoute(router, '/:tid/tags', middleware, [...middlewares, middleware.checkRequired.bind(null, ['tags']), middleware.assertTopic], 'put', controllers.write.topics.addTags);
setupApiRoute(router, '/:tid/tags', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.deleteTags);
setupApiRoute(router, '/:tid/tags', middleware, [...middlewares, middleware.checkRequired.bind(null, ['tags']), middleware.assert.topic], 'put', controllers.write.topics.addTags);
setupApiRoute(router, '/:tid/tags', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.deleteTags);
return router;
};

18
src/routes/write/users.js
Unescape Escape View File

@ -18,19 +18,19 @@ function authenticatedRoutes() {
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['username']), middleware.isAdmin], 'post', controllers.write.users.create);
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['uids']), middleware.isAdmin, middleware.exposePrivileges], 'delete', controllers.write.users.deleteMany);
setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assertUser], 'put', controllers.write.users.update);
setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'delete', controllers.write.users.delete);
setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assert.user], 'put', controllers.write.users.update);
setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assert.user, middleware.exposePrivileges], 'delete', controllers.write.users.delete);
setupApiRoute(router, '/:uid/password', middleware, [...middlewares, middleware.checkRequired.bind(null, ['newPassword']), middleware.assertUser], 'put', controllers.write.users.changePassword);
setupApiRoute(router, '/:uid/password', middleware, [...middlewares, middleware.checkRequired.bind(null, ['newPassword']), middleware.assert.user], 'put', controllers.write.users.changePassword);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assertUser], 'put', controllers.write.users.follow);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assertUser], 'delete', controllers.write.users.unfollow);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assert.user], 'put', controllers.write.users.follow);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assert.user], 'delete', controllers.write.users.unfollow);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'put', controllers.write.users.ban);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'delete', controllers.write.users.unban);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assert.user, middleware.exposePrivileges], 'put', controllers.write.users.ban);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assert.user, middleware.exposePrivileges], 'delete', controllers.write.users.unban);
setupApiRoute(router, '/:uid/tokens', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivilegeSet], 'post', controllers.write.users.generateToken);
setupApiRoute(router, '/:uid/tokens/:token', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivilegeSet], 'delete', controllers.write.users.deleteToken);
setupApiRoute(router, '/:uid/tokens', middleware, [...middlewares, middleware.assert.user, middleware.exposePrivilegeSet], 'post', controllers.write.users.generateToken);
setupApiRoute(router, '/:uid/tokens/:token', middleware, [...middlewares, middleware.assert.user, middleware.exposePrivilegeSet], 'delete', controllers.write.users.deleteToken);
/**
* Implement this later...

Write Preview
Loading…
Cancel
Save