locking down session deletion route to admins and global mods only

src/middleware/index.js

@@ -49,6 +49,20 @@ middleware.authenticate = function (req, res, next) {
 	controllers.helpers.notAllowed(req, res);
 };
 
+middleware.ensureGlobalPrivilege = function (req, res, next) {
+	if (req.user) {
+		user.isAdminOrGlobalMod(req.uid, function (err, ok) {
+			if (ok) {
+				return next();
+			} else {
+				controllers.helpers.notAllowed(req, res);
+			}
+		});
+	} else {
+		controllers.helpers.notAllowed(req, res);
+	}
+};
+
 middleware.pageView = function (req, res, next) {
 	analytics.pageView({
 		ip: req.ip,

src/routes/accounts.js

@@ -28,7 +28,7 @@ module.exports = function (app, middleware, controllers) {
 	setupPageRoute(app, '/user/:userslug/info', middleware, accountMiddlewares, controllers.accounts.info.get);
 	setupPageRoute(app, '/user/:userslug/settings', middleware, accountMiddlewares, controllers.accounts.settings.get);
 
-	app.delete('/api/user/:userslug/session/:uuid', [middleware.requireUser], controllers.accounts.session.revoke);
+	app.delete('/api/user/:userslug/session/:uuid', [middleware.ensureGlobalPrivilege], controllers.accounts.session.revoke);
 
 	setupPageRoute(app, '/notifications', middleware, [middleware.authenticate], controllers.accounts.notifications.get);
 	setupPageRoute(app, '/user/:userslug/chats/:roomid?', middleware, middlewares, controllers.accounts.chats.get);