From f2fe7c0686962ad9fb933d46f58e252c008a3593 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?= Date: Tue, 20 Jun 2023 18:51:46 -0400 Subject: [PATCH] fix: #11735, crash when making guest reply to /api/compose route --- src/controllers/composer.js | 15 +++++++++++---- test/controllers.js | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 4 deletions(-) diff --git a/src/controllers/composer.js b/src/controllers/composer.js index d82214fb91..9475fbdba5 100644 --- a/src/controllers/composer.js +++ b/src/controllers/composer.js @@ -76,13 +76,20 @@ exports.post = async function (req, res) { } else { throw new Error('[[error:invalid-data]]'); } + if (!result) { + throw new Error('[[error:invalid-data]]'); + } if (result.queued) { return res.redirect(`${nconf.get('relative_path') || '/'}?noScriptMessage=[[success:post-queued]]`); } - const uid = result.uid ? result.uid : result.topicData.uid; - user.updateOnlineUsers(uid); - const path = result.pid ? `/post/${result.pid}` : `/topic/${result.topicData.slug}`; - res.redirect(nconf.get('relative_path') + path); + user.updateOnlineUsers(req.uid); + let path = nconf.get('relative_path'); + if (result.pid) { + path += `/post/${result.pid}`; + } else if (result.topicData) { + path += `/topic/${result.topicData.slug}`; + } + res.redirect(path); } catch (err) { helpers.noScriptErrors(req, res, err.message, 400); } diff --git a/test/controllers.js b/test/controllers.js index 893d4892e8..aebd529266 100644 --- a/test/controllers.js +++ b/test/controllers.js @@ -2682,6 +2682,42 @@ describe('Controllers', () => { }); }); }); + + it('should create a new topic and reply by composer route as a guest', async () => { + const jar = request.jar(); + const csrf_token = await helpers.getCsrfToken(jar); + const data = { + cid: cid, + title: 'no js is good', + content: 'a topic with noscript', + handle: 'guest1', + }; + + await privileges.categories.give(['groups:topics:create', 'groups:topics:reply'], cid, 'guests'); + + const result = await helpers.request('post', `/compose`, { + form: data, + jar, + headers: { + 'x-csrf-token': csrf_token, + }, + }); + assert.strictEqual(result.res.statusCode, 302); + + const replyResult = await helpers.request('post', `/compose`, { + form: { + tid: tid, + content: 'a new reply', + handle: 'guest2', + }, + jar, + headers: { + 'x-csrf-token': csrf_token, + }, + }); + assert.equal(replyResult.res.statusCode, 302); + await privileges.categories.rescind(['groups:topics:post', 'groups:topics:reply'], cid, 'guests'); + }); }); describe('test routes', () => {