From cf4f5447bb168b9bac32ac7ddbe567f273966b88 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Mon, 19 Sep 2022 10:08:18 -0400 Subject: [PATCH] fix: #10906, allow `middleware.checkAccountPermissions` to be called with either uid or userslug in params Previously, the middleware only worked with userslug params --- src/middleware/user.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/middleware/user.js b/src/middleware/user.js index db3a97ef08..c3871bd023 100644 --- a/src/middleware/user.js +++ b/src/middleware/user.js @@ -165,7 +165,11 @@ module.exports = function (middleware) { return controllers.helpers.notAllowed(req, res); } - const uid = await user.getUidByUserslug(req.params.userslug); + if (!['uid', 'userslug'].some(param => req.params.hasOwnProperty(param))) { + return controllers.helpers.notAllowed(req, res); + } + + const uid = req.params.uid || await user.getUidByUserslug(req.params.userslug); let allowed = await privileges.users.canEdit(req.uid, uid); if (allowed) { return next();