From 8f55ab1340efef434ae5ade4d83efc2026419826 Mon Sep 17 00:00:00 2001 From: Baris Usakli Date: Tue, 26 Mar 2019 12:24:28 -0400 Subject: [PATCH] fix: #7494 --- src/middleware/user.js | 3 +++ src/routes/accounts.js | 4 ++-- src/routes/api.js | 6 +++--- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/src/middleware/user.js b/src/middleware/user.js index f43319e1dd..07e65cec4b 100644 --- a/src/middleware/user.js +++ b/src/middleware/user.js @@ -93,6 +93,9 @@ module.exports = function (middleware) { }; middleware.canViewUsers = function canViewUsers(req, res, next) { + if (parseInt(res.locals.uid, 10) === req.uid) { + return next(); + } privileges.global.can('view:users', req.uid, function (err, canView) { if (err || canView) { return next(err); diff --git a/src/routes/accounts.js b/src/routes/accounts.js index 33c65769ab..f7dbbbd649 100644 --- a/src/routes/accounts.js +++ b/src/routes/accounts.js @@ -4,8 +4,8 @@ var helpers = require('./helpers'); var setupPageRoute = helpers.setupPageRoute; module.exports = function (app, middleware, controllers) { - var middlewares = [middleware.canViewUsers, middleware.exposeUid]; - var accountMiddlewares = [middleware.canViewUsers, middleware.checkAccountPermissions, middleware.exposeUid]; + var middlewares = [middleware.exposeUid, middleware.canViewUsers]; + var accountMiddlewares = [middleware.exposeUid, middleware.canViewUsers, middleware.checkAccountPermissions]; setupPageRoute(app, '/me/*', middleware, [], middleware.redirectMeToUserslug); setupPageRoute(app, '/uid/:uid*', middleware, [], middleware.redirectUidToUserslug); diff --git a/src/routes/api.js b/src/routes/api.js index 9e4aff58cf..76aad99fe8 100644 --- a/src/routes/api.js +++ b/src/routes/api.js @@ -16,7 +16,7 @@ module.exports = function (app, middleware, controllers) { } }, controllers.api.getConfig); - router.get('/me', middleware.canViewUsers, controllers.user.getCurrentUser); + router.get('/me', controllers.user.getCurrentUser); router.get('/user/uid/:uid', middleware.canViewUsers, controllers.user.getUserByUID); router.get('/user/username/:username', middleware.canViewUsers, controllers.user.getUserByUsername); router.get('/user/email/:email', middleware.canViewUsers, controllers.user.getUserByEmail); @@ -40,8 +40,8 @@ module.exports = function (app, middleware, controllers) { var middlewares = [middleware.maintenanceMode, multipartMiddleware, middleware.validateFiles, middleware.applyCSRF]; router.post('/post/upload', middlewares, uploadsController.uploadPost); router.post('/topic/thumb/upload', middlewares, uploadsController.uploadThumb); - router.post('/user/:userslug/uploadpicture', middlewares.concat([middleware.authenticate, middleware.canViewUsers, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadPicture); + router.post('/user/:userslug/uploadpicture', middlewares.concat([middleware.exposeUid, middleware.authenticate, middleware.canViewUsers, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadPicture); - router.post('/user/:userslug/uploadcover', middlewares.concat([middleware.authenticate, middleware.canViewUsers, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadCoverPicture); + router.post('/user/:userslug/uploadcover', middlewares.concat([middleware.exposeUid, middleware.authenticate, middleware.canViewUsers, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadCoverPicture); router.post('/groups/uploadpicture', middlewares.concat([middleware.authenticate]), controllers.groups.uploadCover); };