From da64eb0873d083d3b1bf7cca3f45361e12cb8149 Mon Sep 17 00:00:00 2001 From: barisusakli Date: Wed, 24 Sep 2014 15:42:45 -0400 Subject: [PATCH] closes #2117 --- src/controllers/categories.js | 14 +++++++++----- src/controllers/topics.js | 11 +++++++++++ src/routes/index.js | 2 +- 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/src/controllers/categories.js b/src/controllers/categories.js index d3b4291cd8..2ba1a31817 100644 --- a/src/controllers/categories.js +++ b/src/controllers/categories.js @@ -95,8 +95,8 @@ categoriesController.get = function(req, res, next) { exists: function(next) { categories.exists(cid, next); }, - disabled: function(next) { - categories.getCategoryField(cid, 'disabled', next); + categoryData: function(next) { + categories.getCategoryFields(cid, ['slug', 'disabled'], next); }, privileges: function(next) { privileges.categories.get(cid, uid, next); @@ -107,7 +107,11 @@ categoriesController.get = function(req, res, next) { }, next); }, function(results, next) { - if (!results.exists || parseInt(results.disabled, 10) === 1) { + if (!results.exists || (results.categoryData && parseInt(results.categoryData.disabled, 10) === 1)) { + return categoriesController.notFound(req, res); + } + + if (cid + '/' + req.params.slug !== results.categoryData.slug) { return categoriesController.notFound(req, res); } @@ -218,13 +222,13 @@ categoriesController.get = function(req, res, next) { }; categoriesController.notFound = function(req, res) { - res.locals.isAPI ? res.json(404, 'not-found') : res.redirect(nconf.get('relative_path') + '/404'); + res.locals.isAPI ? res.json(404, 'not-found') : res.status(404).render('404'); }; categoriesController.notAllowed = function(req, res) { var uid = req.user ? req.user.uid : 0; if (uid) { - res.locals.isAPI ? res.json(403, 'not-allowed') : res.redirect(nconf.get('relative_path') + '/403'); + res.locals.isAPI ? res.json(403, 'not-allowed') : res.status(403).render('403'); } else { if (res.locals.isAPI) { res.json(401, 'not-authorized'); diff --git a/src/controllers/topics.js b/src/controllers/topics.js index d3987d44b1..5a0bcd671e 100644 --- a/src/controllers/topics.js +++ b/src/controllers/topics.js @@ -21,6 +21,10 @@ topicsController.get = function(req, res, next) { uid = req.user ? req.user.uid : 0, userPrivileges; + if (req.params.post_index && !utils.isNumber(req.params.post_index)) { + return categoriesController.notFound(req, res); + } + async.waterfall([ function (next) { async.parallel({ @@ -32,6 +36,9 @@ topicsController.get = function(req, res, next) { }, settings: function(next) { user.getSettings(uid, next); + }, + slug: function(next) { + topics.getTopicField(tid, 'slug', next); } }, next); }, @@ -55,6 +62,10 @@ topicsController.get = function(req, res, next) { return categoriesController.notFound(req, res); } + if (tid + '/' + req.params.slug !== results.slug) { + return categoriesController.notFound(req, res); + } + if (!userPrivileges.read) { return categoriesController.notAllowed(req, res); } diff --git a/src/routes/index.js b/src/routes/index.js index ed76d01fe3..6085ab6666 100644 --- a/src/routes/index.js +++ b/src/routes/index.js @@ -55,7 +55,7 @@ function categoryRoutes(app, middleware, controllers) { app.get('/api/unread/total', middleware.authenticate, controllers.categories.unreadTotal); setupPageRoute(app, '/category/:category_id/:slug/:topic_index', middleware, [middleware.applyCSRF, middleware.checkTopicIndex], controllers.categories.get); - setupPageRoute(app, '/category/:category_id/:slug?', middleware, [middleware.applyCSRF, middleware.addSlug], controllers.categories.get); + setupPageRoute(app, '/category/:category_id/:slug', middleware, [middleware.applyCSRF, middleware.addSlug], controllers.categories.get); } function accountRoutes(app, middleware, controllers) {