fix: dont allow searching by email/ip if not privileged

5 years ago · ac6b571ed5
parent fef04fcf6b
commit ac6b571ed5
3 changed files with 10 additions and 5 deletions
--- a/public/src/client/chats/search.js
+++ b/public/src/client/chats/search.js
@ -28,6 +28,7 @@ define('forum/chats/search', ['components'], function (components) {
 		socket.emit('user.search', {
 			query: username,
 			searchBy: 'username',
+			paginate: false,
 		}, function (err, data) {
 			if (err) {
 				return app.alertError(err.message);
--- a/src/controllers/users.js
+++ b/src/controllers/users.js
@ -30,10 +30,14 @@ usersController.index = async function (req, res, next) {
 	}
 };

-usersController.search = async function (req, res, next) {
-	const allowed = await privileges.global.can('search:users', req.uid);
-	if (!allowed) {
-		return next(new Error('[[error:no-privileges]]'));
+usersController.search = async function (req, res) {
+	const [allowed, isPrivileged] = await Promise.all([
+		privileges.global.can('search:users', req.uid),
+		user.isPrivileged(req.uid),
+	]);
+
+	if (!allowed || ((req.query.searchBy === 'ip' || req.query.searchBy === 'email' || req.query.bannedOnly === 'true' || req.query.flaggedOnly === 'true') && !isPrivileged)) {
+		throw new Error('[[error:no-privileges]]');
 	}
 	const [searchData, isAdminOrGlobalMod] = await Promise.all([
 		user.search({
--- a/src/socket.io/user/search.js
+++ b/src/socket.io/user/search.js
@ -14,7 +14,7 @@ module.exports = function (SocketUser) {
 			user.isPrivileged(socket.uid),
 		]);

-		if (!allowed || ((data.searchBy === 'ip' || data.bannedOnly || data.flaggedOnly) && !isPrivileged)) {
+		if (!allowed || ((data.searchBy === 'ip' || data.searchBy === 'email' || data.bannedOnly || data.flaggedOnly) && !isPrivileged)) {
 			throw new Error('[[error:no-privileges]]');
 		}
 		const result = await user.search({