fix: request authentication called twice in account routes

4 years ago · e3b2c00db1
parent 7da061f0d7
commit e3b2c00db1
3 changed files with 12 additions and 7 deletions
--- a/src/middleware/user.js
+++ b/src/middleware/user.js
@ -148,12 +148,12 @@ module.exports = function (middleware) {

 	middleware.checkAccountPermissions = helpers.try(async (req, res, next) => {
 		// This middleware ensures that only the requested user and admins can pass
-		if (!await authenticate(req, res)) {
-			return;
-		}
+
+		// This check if left behind for legacy purposes. Older plugins may call this middleware without ensureLoggedIn
 		if (!req.loggedIn) {
 			return controllers.helpers.notAllowed(req, res);
 		}
+
 		const uid = await user.getUidByUserslug(req.params.userslug);
 		let allowed = await privileges.users.canEdit(req.uid, uid);
 		if (allowed) {
--- a/src/routes/api.js
+++ b/src/routes/api.js
@ -15,9 +15,9 @@ module.exports = function (app, middleware, controllers) {
 	router.get('/user/username/:username', middleware.canViewUsers, controllers.user.getUserByUsername);
 	router.get('/user/email/:email', middleware.canViewUsers, controllers.user.getUserByEmail);

-	router.get('/user/uid/:userslug/export/posts', middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportPosts);
-	router.get('/user/uid/:userslug/export/uploads', middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportUploads);
-	router.get('/user/uid/:userslug/export/profile', middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportProfile);
+	router.get('/user/uid/:userslug/export/posts', middleware.authenticateRequest, middleware.ensureLoggedIn, middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportPosts);
+	router.get('/user/uid/:userslug/export/uploads', middleware.authenticateRequest, middleware.ensureLoggedIn, middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportUploads);
+	router.get('/user/uid/:userslug/export/profile', middleware.authenticateRequest, middleware.ensureLoggedIn, middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportProfile);

 	router.get('/categories/:cid/moderators', controllers.api.getModerators);
 	router.get('/recent/posts/:term?', controllers.posts.getRecentPosts);
--- a/src/routes/user.js
+++ b/src/routes/user.js
@ -9,7 +9,12 @@ const { setupPageRoute } = helpers;

 module.exports = function (app, name, middleware, controllers) {
 	const middlewares = [middleware.exposeUid, middleware.canViewUsers];
-	const accountMiddlewares = [middleware.exposeUid, middleware.canViewUsers, middleware.checkAccountPermissions];
+	const accountMiddlewares = [
+		middleware.exposeUid,
+		middleware.ensureLoggedIn,
+		middleware.canViewUsers,
+		middleware.checkAccountPermissions,
+	];

 	setupPageRoute(app, '/me', middleware, [], middleware.redirectMeToUserslug);
 	setupPageRoute(app, '/me/*', middleware, [], middleware.redirectMeToUserslug);