From e3b2c00db1a29ae01a46b4c9010d4f3c77d9f2b9 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Mon, 8 Mar 2021 14:47:33 -0500 Subject: [PATCH] fix: request authentication called twice in account routes --- src/middleware/user.js | 6 +++--- src/routes/api.js | 6 +++--- src/routes/user.js | 7 ++++++- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/src/middleware/user.js b/src/middleware/user.js index e71c2f3c82..bb2a5da9ee 100644 --- a/src/middleware/user.js +++ b/src/middleware/user.js @@ -148,12 +148,12 @@ module.exports = function (middleware) { middleware.checkAccountPermissions = helpers.try(async (req, res, next) => { // This middleware ensures that only the requested user and admins can pass - if (!await authenticate(req, res)) { - return; - } + + // This check if left behind for legacy purposes. Older plugins may call this middleware without ensureLoggedIn if (!req.loggedIn) { return controllers.helpers.notAllowed(req, res); } + const uid = await user.getUidByUserslug(req.params.userslug); let allowed = await privileges.users.canEdit(req.uid, uid); if (allowed) { diff --git a/src/routes/api.js b/src/routes/api.js index 413f603c31..3b180e7981 100644 --- a/src/routes/api.js +++ b/src/routes/api.js @@ -15,9 +15,9 @@ module.exports = function (app, middleware, controllers) { router.get('/user/username/:username', middleware.canViewUsers, controllers.user.getUserByUsername); router.get('/user/email/:email', middleware.canViewUsers, controllers.user.getUserByEmail); - router.get('/user/uid/:userslug/export/posts', middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportPosts); - router.get('/user/uid/:userslug/export/uploads', middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportUploads); - router.get('/user/uid/:userslug/export/profile', middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportProfile); + router.get('/user/uid/:userslug/export/posts', middleware.authenticateRequest, middleware.ensureLoggedIn, middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportPosts); + router.get('/user/uid/:userslug/export/uploads', middleware.authenticateRequest, middleware.ensureLoggedIn, middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportUploads); + router.get('/user/uid/:userslug/export/profile', middleware.authenticateRequest, middleware.ensureLoggedIn, middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportProfile); router.get('/categories/:cid/moderators', controllers.api.getModerators); router.get('/recent/posts/:term?', controllers.posts.getRecentPosts); diff --git a/src/routes/user.js b/src/routes/user.js index d11666cb2b..ae0d1927b9 100644 --- a/src/routes/user.js +++ b/src/routes/user.js @@ -9,7 +9,12 @@ const { setupPageRoute } = helpers; module.exports = function (app, name, middleware, controllers) { const middlewares = [middleware.exposeUid, middleware.canViewUsers]; - const accountMiddlewares = [middleware.exposeUid, middleware.canViewUsers, middleware.checkAccountPermissions]; + const accountMiddlewares = [ + middleware.exposeUid, + middleware.ensureLoggedIn, + middleware.canViewUsers, + middleware.checkAccountPermissions, + ]; setupPageRoute(app, '/me', middleware, [], middleware.redirectMeToUserslug); setupPageRoute(app, '/me/*', middleware, [], middleware.redirectMeToUserslug);