From eeaee8ccef325ff297c276bd7e6a8f3d6b9e8701 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Fri, 7 Dec 2018 11:56:44 -0500
Subject: [PATCH] fix: not calling authenticate middleware on resource direct
 access routes

---
 src/routes/api.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/routes/api.js b/src/routes/api.js
index 3bcfca342e..c0c69db4ef 100644
--- a/src/routes/api.js
+++ b/src/routes/api.js
@@ -19,9 +19,9 @@ module.exports = function (app, middleware, controllers) {
 	router.get('/user/uid/:userslug/export/uploads', middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportUploads);
 	router.get('/user/uid/:userslug/export/profile', middleware.checkAccountPermissions, middleware.exposeUid, controllers.user.exportProfile);
 
-	router.get('/:type/pid/:id', controllers.api.getObject);
-	router.get('/:type/tid/:id', controllers.api.getObject);
-	router.get('/:type/cid/:id', controllers.api.getObject);
+	router.get('/:type/pid/:id', middleware.authenticate, controllers.api.getObject);
+	router.get('/:type/tid/:id', middleware.authenticate, controllers.api.getObject);
+	router.get('/:type/cid/:id', middleware.authenticate, controllers.api.getObject);
 
 	router.get('/categories/:cid/moderators', controllers.api.getModerators);
 	router.get('/recent/posts/:term?', controllers.posts.getRecentPosts);