2020-10-01 14:11:59 -04:00
|
|
|
'use strict';
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The middlewares here strictly act to "assert" validity of the incoming
|
|
|
|
|
* payload and throw an error otherwise.
|
|
|
|
|
*/
|
|
|
|
|
|
2020-10-08 12:00:06 -04:00
|
|
|
const fs = require('fs');
|
|
|
|
|
const fsPromises = fs.promises;
|
|
|
|
|
const path = require('path');
|
|
|
|
|
|
|
|
|
|
const nconf = require('nconf');
|
|
|
|
|
|
2020-10-01 19:37:13 -04:00
|
|
|
const user = require('../user');
|
2020-10-01 14:11:59 -04:00
|
|
|
const groups = require('../groups');
|
2020-10-01 14:26:34 -04:00
|
|
|
const topics = require('../topics');
|
2020-10-06 14:12:02 -04:00
|
|
|
const posts = require('../posts');
|
2020-10-01 14:26:34 -04:00
|
|
|
|
2020-10-08 12:00:06 -04:00
|
|
|
const helpers = require('./helpers');
|
|
|
|
|
const controllerHelpers = require('../controllers/helpers');
|
2020-10-01 14:11:59 -04:00
|
|
|
|
|
|
|
|
module.exports = function (middleware) {
|
2020-10-08 12:00:06 -04:00
|
|
|
middleware.assertUser = helpers.try(async (req, res, next) => {
|
2020-10-01 19:37:13 -04:00
|
|
|
if (!await user.exists(req.params.uid)) {
|
2020-10-08 12:00:06 -04:00
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-user]]'));
|
2020-10-01 19:37:13 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
next();
|
2020-10-08 12:00:06 -04:00
|
|
|
});
|
2020-10-01 19:37:13 -04:00
|
|
|
|
2020-10-08 12:00:06 -04:00
|
|
|
middleware.assertGroup = helpers.try(async (req, res, next) => {
|
2020-10-01 14:11:59 -04:00
|
|
|
const name = await groups.getGroupNameByGroupSlug(req.params.slug);
|
2020-10-02 10:35:22 -04:00
|
|
|
if (!name || !await groups.exists(name)) {
|
2020-10-08 12:00:06 -04:00
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-group]]'));
|
2020-10-01 14:26:34 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
next();
|
2020-10-08 12:00:06 -04:00
|
|
|
});
|
2020-10-01 14:26:34 -04:00
|
|
|
|
2020-10-08 12:00:06 -04:00
|
|
|
middleware.assertTopic = helpers.try(async (req, res, next) => {
|
2020-10-01 14:26:34 -04:00
|
|
|
if (!await topics.exists(req.params.tid)) {
|
2020-10-08 12:00:06 -04:00
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
|
2020-10-01 14:11:59 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
next();
|
2020-10-08 12:00:06 -04:00
|
|
|
});
|
2020-10-06 14:12:02 -04:00
|
|
|
|
2020-10-08 12:00:06 -04:00
|
|
|
middleware.assertPost = helpers.try(async (req, res, next) => {
|
2020-10-06 14:12:02 -04:00
|
|
|
if (!await posts.exists(req.params.pid)) {
|
2020-10-08 12:00:06 -04:00
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
next();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
middleware.assertPath = helpers.try(async (req, res, next) => {
|
|
|
|
|
// file: URL support
|
|
|
|
|
if (req.body.path.startsWith('file:///')) {
|
|
|
|
|
req.body.path = new URL(req.body.path).pathname;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Checks file exists and is within bounds of upload_path
|
|
|
|
|
const pathToFile = path.join(nconf.get('upload_path'), req.body.path);
|
|
|
|
|
res.locals.cleanedPath = pathToFile;
|
|
|
|
|
|
|
|
|
|
if (!pathToFile.startsWith(nconf.get('upload_path'))) {
|
|
|
|
|
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
await fsPromises.access(pathToFile, fs.constants.F_OK);
|
|
|
|
|
} catch (e) {
|
|
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]'));
|
2020-10-06 14:12:02 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
next();
|
2020-10-08 12:00:06 -04:00
|
|
|
});
|
2020-10-01 14:11:59 -04:00
|
|
|
};
|
