only use multipart on upload routes,

delete temp files if there is an error in admin, admin/mods should see topic reply
10 years ago · 9a21e9646f
parent 67770e568f
commit 9a21e9646f
5 changed files with 31 additions and 25 deletions
--- a/src/controllers/admin/uploads.js
+++ b/src/controllers/admin/uploads.js
@ -14,6 +14,7 @@ function validateUpload(res, req, allowedTypes) {
 			error: 'Invalid image type. Allowed types are: ' + allowedTypes.join(', ')
 		};
 		fs.unlink(req.files.userPhoto.path);
 		res.send(req.xhr ? err : JSON.stringify(err));
 		return false;
 	}
@ -21,8 +22,6 @@ function validateUpload(res, req, allowedTypes) {
 	return true;
 }
 uploadsController.uploadImage = function(filename, folder, req, res) {
 	function done(err, image) {
 		var er, rs;
@ -54,6 +53,7 @@ uploadsController.uploadCategoryPicture = function(req, res, next) {
 		var err = {
 			error: 'Error uploading file! Error :' + e.message
 		};
 		fs.unlink(req.files.userPhoto.path);
 		return res.send(req.xhr ? err : JSON.stringify(err));
 	}
@ -71,6 +71,7 @@ uploadsController.uploadFavicon = function(req, res, next) {
 			fs.unlink(req.files.userPhoto.path);
 			if (err) {
 				err = {error: err.message};
 				return res.send(req.xhr ? err : JSON.stringify(err));
 			}
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@ -1,11 +1,11 @@
 "use strict";
-var utils = require('./../../public/src/utils'),
+var utils = require('../../public/src/utils'),
-	meta = require('./../meta'),
+	meta = require('../meta'),
-	plugins = require('./../plugins'),
+	plugins = require('../plugins'),
-	db = require('./../database'),
+	db = require('../database'),
-	auth = require('./../routes/authentication'),
+	auth = require('../routes/authentication'),
-	emitter = require('./../emitter'),
+	emitter = require('../emitter'),
 	async = require('async'),
 	path = require('path'),
@ -19,7 +19,6 @@ var utils = require('./../../public/src/utils'),
 	cookieParser = require('cookie-parser'),
 	compression = require('compression'),
 	favicon = require('serve-favicon'),
 	multipart = require('connect-multiparty'),
 	session = require('express-session'),
 	cluster = require('cluster'),
@ -93,8 +92,6 @@ module.exports = function(app, data) {
 		saveUninitialized: true
 	}));
 	app.use(multipart());
 	app.use(function (req, res, next) {
 		res.setHeader('X-Powered-By', 'NodeBB');
--- a/src/privileges/categories.js
+++ b/src/privileges/categories.js
@ -35,7 +35,7 @@ module.exports = function(privileges) {
 			var isAdminOrMod = results.isAdministrator || results.isModerator;
 			callback(null, {
-				'topics:create': results['topics:create'][0],
+				'topics:create': results['topics:create'][0] || isAdminOrMod,
 				editable: isAdminOrMod,
 				view_deleted: isAdminOrMod,
 				read: results.read[0] || isAdminOrMod
--- a/src/routes/admin.js
+++ b/src/routes/admin.js
@ -7,10 +7,15 @@ function apiRoutes(app, middleware, controllers) {
 	// todo, needs to be in api namespace
 	app.get('/users/csv', middleware.authenticate, controllers.admin.users.getCSV);
-	app.post('/category/uploadpicture', middleware.applyCSRF, middleware.authenticate, controllers.admin.uploads.uploadCategoryPicture);
+	var multipart = require('connect-multiparty');
-	app.post('/uploadfavicon', middleware.applyCSRF, middleware.authenticate, controllers.admin.uploads.uploadFavicon);
+	var multipartMiddleware = multipart();
-	app.post('/uploadlogo', middleware.applyCSRF, middleware.authenticate, controllers.admin.uploads.uploadLogo);
+
-	app.post('/uploadgravatardefault', middleware.applyCSRF, middleware.authenticate, controllers.admin.uploads.uploadGravatarDefault);
+	var middlewares = [multipartMiddleware, middleware.applyCSRF, middleware.authenticate];
 	app.post('/category/uploadpicture', middlewares, controllers.admin.uploads.uploadCategoryPicture);
 	app.post('/uploadfavicon', middlewares, controllers.admin.uploads.uploadFavicon);
 	app.post('/uploadlogo', middlewares, controllers.admin.uploads.uploadLogo);
 	app.post('/uploadgravatardefault', middlewares, controllers.admin.uploads.uploadGravatarDefault);
 }
 function adminRouter(middleware, controllers) {
--- a/src/routes/api.js
+++ b/src/routes/api.js
@ -206,8 +206,11 @@ module.exports =  function(app, middleware, controllers) {
 	router.get('/categories/:cid/moderators', getModerators);
 	router.get('/recent/posts/:term?', getRecentPosts);
-	router.post('/post/upload', middleware.applyCSRF, uploadPost);
+	var multipart = require('connect-multiparty');
-	router.post('/topic/thumb/upload', middleware.applyCSRF, uploadThumb);
+	var multipartMiddleware = multipart();
-	router.post('/user/:userslug/uploadpicture', middleware.applyCSRF, middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.uploadPicture);
+
 	router.post('/post/upload', multipartMiddleware, middleware.applyCSRF, uploadPost);
 	router.post('/topic/thumb/upload', multipartMiddleware, middleware.applyCSRF, uploadThumb);
 	router.post('/user/:userslug/uploadpicture', multipartMiddleware, middleware.applyCSRF, middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.uploadPicture);
 };