closes #2117

11 years ago · da64eb0873
parent 5d344b3dac
commit da64eb0873
3 changed files with 21 additions and 6 deletions
--- a/src/controllers/categories.js
+++ b/src/controllers/categories.js
@ -95,8 +95,8 @@ categoriesController.get = function(req, res, next) {
 				exists: function(next) {
 					categories.exists(cid, next);
 				},
-				disabled: function(next) {
-					categories.getCategoryField(cid, 'disabled', next);
+				categoryData: function(next) {
+					categories.getCategoryFields(cid, ['slug', 'disabled'], next);
 				},
 				privileges: function(next) {
 					privileges.categories.get(cid, uid, next);
@ -107,7 +107,11 @@ categoriesController.get = function(req, res, next) {
 			}, next);
 		},
 		function(results, next) {
-			if (!results.exists || parseInt(results.disabled, 10) === 1) {
+			if (!results.exists || (results.categoryData && parseInt(results.categoryData.disabled, 10) === 1)) {
+				return categoriesController.notFound(req, res);
+			}
+
+			if (cid + '/' + req.params.slug !== results.categoryData.slug) {
 				return categoriesController.notFound(req, res);
 			}

@ -218,13 +222,13 @@ categoriesController.get = function(req, res, next) {
 };

 categoriesController.notFound = function(req, res) {
-	res.locals.isAPI ? res.json(404, 'not-found') : res.redirect(nconf.get('relative_path') + '/404');
+	res.locals.isAPI ? res.json(404, 'not-found') : res.status(404).render('404');
 };

 categoriesController.notAllowed = function(req, res) {
 	var uid = req.user ? req.user.uid : 0;
 	if (uid) {
-		res.locals.isAPI ? res.json(403, 'not-allowed') : res.redirect(nconf.get('relative_path') + '/403');
+		res.locals.isAPI ? res.json(403, 'not-allowed') : res.status(403).render('403');
 	} else {
 		if (res.locals.isAPI) {
 			res.json(401, 'not-authorized');
--- a/src/controllers/topics.js
+++ b/src/controllers/topics.js
@ -21,6 +21,10 @@ topicsController.get = function(req, res, next) {
 		uid = req.user ? req.user.uid : 0,
 		userPrivileges;

+	if (req.params.post_index && !utils.isNumber(req.params.post_index)) {
+		return categoriesController.notFound(req, res);
+	}
+
 	async.waterfall([
 		function (next) {
 			async.parallel({
@ -32,6 +36,9 @@ topicsController.get = function(req, res, next) {
 				},
 				settings: function(next) {
 					user.getSettings(uid, next);
+				},
+				slug: function(next) {
+					topics.getTopicField(tid, 'slug', next);
 				}
 			}, next);
 		},
@ -55,6 +62,10 @@ topicsController.get = function(req, res, next) {
 				return categoriesController.notFound(req, res);
 			}

+			if (tid + '/' + req.params.slug !== results.slug) {
+				return categoriesController.notFound(req, res);
+			}
+
 			if (!userPrivileges.read) {
 				return categoriesController.notAllowed(req, res);
 			}
--- a/src/routes/index.js
+++ b/src/routes/index.js
@ -55,7 +55,7 @@ function categoryRoutes(app, middleware, controllers) {
 	app.get('/api/unread/total', middleware.authenticate, controllers.categories.unreadTotal);

 	setupPageRoute(app, '/category/:category_id/:slug/:topic_index', middleware, [middleware.applyCSRF, middleware.checkTopicIndex], controllers.categories.get);
-	setupPageRoute(app, '/category/:category_id/:slug?', middleware, [middleware.applyCSRF, middleware.addSlug], controllers.categories.get);
+	setupPageRoute(app, '/category/:category_id/:slug', middleware, [middleware.applyCSRF, middleware.addSlug], controllers.categories.get);
 }

 function accountRoutes(app, middleware, controllers) {