From b56df975e0a1175dac2f10c6f535f18eb554fed4 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Wed, 7 May 2014 11:46:24 -0400 Subject: [PATCH] fixed 1495 --- public/src/ajaxify.js | 4 +++- public/src/forum/login.js | 18 ++++++++++++------ src/controllers/index.js | 3 +++ src/middleware/admin.js | 4 ++++ src/middleware/middleware.js | 7 ++++++- src/routes/authentication.js | 2 +- 6 files changed, 29 insertions(+), 9 deletions(-) diff --git a/public/src/ajaxify.js b/public/src/ajaxify.js index 6513d305d3..d3f68e8fab 100644 --- a/public/src/ajaxify.js +++ b/public/src/ajaxify.js @@ -186,7 +186,9 @@ var ajaxify = ajaxify || {}; if (data && data.status === 404) { return ajaxify.go('404'); } else if (data && data.status === 403) { - return ajaxify.go('403'); + app.alertError('[[global:please_log_in]]'); + app.previousUrl = url; + return ajaxify.go('login'); } else if (data && data.status === 302) { return ajaxify.go(data.responseJSON.slice(1)); } else if (textStatus !== "abort") { diff --git a/public/src/forum/login.js b/public/src/forum/login.js index dd1ba7f22b..5741cb0079 100644 --- a/public/src/forum/login.js +++ b/public/src/forum/login.js @@ -1,3 +1,6 @@ +"use strict"; +/* global define, app, RELATIVE_PATH */ + define(function() { var Login = {}; @@ -6,11 +9,12 @@ define(function() { e.preventDefault(); var loginData = { - 'username': $('#username').val(), - 'password': $('#password').val(), - 'remember': $('#remember').prop('checked'), - '_csrf': $('#csrf-token').val() - }; + 'username': $('#username').val(), + 'password': $('#password').val(), + 'remember': $('#remember').prop('checked'), + '_csrf': $('#csrf-token').val() + }, + previousUrl = $('input[name="previousUrl"]').val(); $('#login').attr('disabled', 'disabled').html('Logging in...'); $('#login-error-notify').hide(); @@ -21,7 +25,9 @@ define(function() { data: loginData, success: function(data, textStatus, jqXHR) { $('#login').html('Redirecting...'); - if(!app.previousUrl) { + if (previousUrl) { + app.previousUrl = previousUrl; + } else if (!app.previousUrl) { app.previousUrl = '/'; } diff --git a/src/controllers/index.js b/src/controllers/index.js index eb0af56d65..d361fd85e7 100644 --- a/src/controllers/index.js +++ b/src/controllers/index.js @@ -176,6 +176,9 @@ Controllers.login = function(req, res, next) { data.token = res.locals.csrf_token; data.showResetLink = emailersPresent; data.allowLocalLogin = meta.config.allowLocalLogin === undefined || parseInt(meta.config.allowLocalLogin, 10) === 1; + if (req.query.next) { + data.previousUrl = req.query.next; + } res.render('login', data); }; diff --git a/src/middleware/admin.js b/src/middleware/admin.js index cbe7b2ed16..d9d36791ce 100644 --- a/src/middleware/admin.js +++ b/src/middleware/admin.js @@ -15,6 +15,10 @@ var app, middleware.isAdmin = function(req, res, next) { + if (!req.user) { + return res.redirect('/login?next=admin'); + } + user.isAdministrator((req.user && req.user.uid) ? req.user.uid : 0, function (err, isAdmin) { if (err) { return next(err); diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js index 29b836035e..8301e628c8 100644 --- a/src/middleware/middleware.js +++ b/src/middleware/middleware.js @@ -99,7 +99,7 @@ middleware.checkGlobalPrivacySettings = function(req, res, next) { if (res.locals.isAPI) { return res.json(403, 'not-allowed'); } else { - return res.redirect('403'); + return res.redirect('login?next=' + req.url); } } @@ -107,8 +107,13 @@ middleware.checkGlobalPrivacySettings = function(req, res, next) { }; middleware.checkAccountPermissions = function(req, res, next) { + // This middleware ensures that only the requested user and admins can pass var callerUID = req.user ? parseInt(req.user.uid, 10) : 0; + if (callerUID === 0) { + return res.redirect('/login?next=' + req.url); + } + // this function requires userslug to be passed in. todo: /user/uploadpicture should pass in userslug I think user.getUidByUserslug(req.params.userslug, function (err, uid) { if (err) { diff --git a/src/routes/authentication.js b/src/routes/authentication.js index e557c49e83..53d1953bec 100644 --- a/src/routes/authentication.js +++ b/src/routes/authentication.js @@ -31,7 +31,7 @@ function login(req, res, next) { if(meta.config.allowLocalLogin !== undefined && parseInt(meta.config.allowLocalLogin, 10) === 0) { - return res.send(403); + return res.send(404); } passport.authenticate('local', function(err, userData, info) {