From 8385ceef79ac5b879ad465b085bd38db17e7482f Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Mon, 23 Dec 2013 21:42:34 -0500 Subject: [PATCH 1/3] topics in private categories can no longer be accessed via ajaxify or by direct link --- src/routes/api.js | 37 ++++++++++++++++++++++--------------- src/webserver.js | 21 ++++++++++++++++++++- 2 files changed, 42 insertions(+), 16 deletions(-) diff --git a/src/routes/api.js b/src/routes/api.js index c8a36b16af..9051916188 100644 --- a/src/routes/api.js +++ b/src/routes/api.js @@ -7,6 +7,7 @@ var path = require('path'), groups = require('../groups'), auth = require('./authentication'), topics = require('../topics'), + ThreadTools = require('../threadTools'), posts = require('../posts'), categories = require('../categories'), categoryTools = require('../categoryTools') @@ -120,21 +121,27 @@ var path = require('path'), app.get('/topic/:id/:slug?', function (req, res, next) { var uid = (req.user) ? req.user.uid : 0; - topics.getTopicWithPosts(req.params.id, uid, 0, 10, false, function (err, data) { - if (!err) { - if (parseInt(data.deleted, 10) === 1 && parseInt(data.expose_tools, 10) === 0) { - return res.json(404, {}); - } - // get the category this post belongs to and check category access - var cid = data.category_slug.split("/")[0]; - groups.getCategoryAccess(cid, uid, function(err, access){ - if (access){ - res.json(data); - } else { - res.send(403); - } - }) - } else next(); + ThreadTools.privileges(req.params.id, uid, function(err, privileges) { + if (privileges.read) { + topics.getTopicWithPosts(req.params.id, uid, 0, 10, false, function (err, data) { + if (!err) { + if (parseInt(data.deleted, 10) === 1 && parseInt(data.expose_tools, 10) === 0) { + return res.json(404, {}); + } + // get the category this post belongs to and check category access + var cid = data.category_slug.split("/")[0]; + groups.getCategoryAccess(cid, uid, function(err, access){ + if (access){ + res.json(data); + } else { + res.send(403); + } + }) + } else next(); + }); + } else { + res.send(403); + } }); }); diff --git a/src/webserver.js b/src/webserver.js index d884de520b..2cca579768 100644 --- a/src/webserver.js +++ b/src/webserver.js @@ -18,6 +18,7 @@ var path = require('path'), categories = require('./categories'), posts = require('./posts'), topics = require('./topics'), + ThreadTools = require('./threadTools'), notifications = require('./notifications'), admin = require('./routes/admin'), userRoute = require('./routes/user'), @@ -484,6 +485,20 @@ var path = require('path'), } async.waterfall([ + function(next) { + // Check whether this user is allowed to access this topic + ThreadTools.privileges(tid, ((req.user) ? req.user.uid : 0), function(err, privileges) { + if (!err) { + if (!privileges.read) { + next(new Error('not-enough-privileges')); + } else { + next(); + } + } else { + next(err); + } + }); + }, function (next) { topics.getTopicWithPosts(tid, ((req.user) ? req.user.uid : 0), 0, -1, true, function (err, topicData) { if (topicData) { @@ -558,7 +573,11 @@ var path = require('path'), }, ], function (err, data) { if (err) { - return res.redirect('404'); + if (err.message === 'not-enough-privileges') { + return res.redirect('403'); + } else { + return res.redirect('404'); + } } var topic_url = tid + (req.params.slug ? '/' + req.params.slug : ''); From 8f879cd3ebae0d6e04b3371093b75b4b74403882 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Mon, 23 Dec 2013 21:50:47 -0500 Subject: [PATCH 2/3] topics will no longer show up in /recent if user cannot access them --- src/topics.js | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/topics.js b/src/topics.js index bc971b8c6a..b2757514b2 100644 --- a/src/topics.js +++ b/src/topics.js @@ -262,9 +262,20 @@ var async = require('async'), return; } - Topics.getTopicsByTids(tids, current_user, function(topicData) { - latestTopics.topics = topicData; - callback(err, latestTopics); + // Filter out topics that belong to categories that this user cannot access + async.filter(tids, function(tid, next) { + threadTools.privileges(tid, current_user, function(err, privileges) { + if (!err && privileges.read) { + next(true); + } else { + next(false); + } + }); + }, function(tids) { + Topics.getTopicsByTids(tids, current_user, function(topicData) { + latestTopics.topics = topicData; + callback(err, latestTopics); + }); }); }); } From a078f73e849b922b67a9b9302e4aef48bd9a6f11 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Mon, 23 Dec 2013 22:06:53 -0500 Subject: [PATCH 3/3] omg I don't know what I am doing --- src/topics.js | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/src/topics.js b/src/topics.js index b2757514b2..4efe8c002a 100644 --- a/src/topics.js +++ b/src/topics.js @@ -353,14 +353,25 @@ var async = require('async'), return parseInt(read[index], 10) === 0; }); - unreadTids.push.apply(unreadTids, newtids); + // Filter out topics that belong to categories that this user cannot access + async.filter(newtids, function(tid, next) { + threadTools.privileges(tid, uid, function(err, privileges) { + if (!err && privileges.read) { + next(true); + } else { + next(false); + } + }); + }, function(newtids) { + unreadTids.push.apply(unreadTids, newtids); - if(continueCondition()) { - start = stop + 1; - stop = start + 19; - } + if(continueCondition()) { + start = stop + 1; + stop = start + 19; + } - callback(null); + callback(null); + }); }); } });