Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-12-15 21:10:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: relax toPid assertion checks so that it only checks that it is a number or uri

Browse Source
This commit is contained in:
Julian Lam
2025-10-29 14:52:59 -04:00
parent f6219d0026
commit 30b1212a0a
2 changed files with 2 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/posts/create.js
View File

@@ -7,7 +7,6 @@ const user = require('../user');
const topics = require('../topics');
const categories = require('../categories');
const groups = require('../groups');
const privileges = require('../privileges');
const activitypub = require('../activitypub');
const utils = require('../utils');
@@ -24,8 +23,8 @@ module.exports = function (Posts) {
throw new Error('[[error:invalid-uid]]');
}
if (data.toPid) {
await checkToPid(data.toPid, uid);
if (data.toPid && !utils.isNumber(data.toPid) && !activitypub.helpers.isUri(data.toPid)) {
throw new Error('[[error:invalid-pid]]');
}
const pid = data.pid || await db.incrObjectField('global', 'nextPid');
@@ -101,19 +100,4 @@ module.exports = function (Posts) {
db.incrObjectField(`post:${postData.toPid}`, 'replies'),
]);
}
async function checkToPid(toPid, uid) {
if (!utils.isNumber(toPid) && !activitypub.helpers.isUri(toPid)) {
throw new Error('[[error:invalid-pid]]');
}
const [toPost, canViewToPid] = await Promise.all([
Posts.getPostFields(toPid, ['pid', 'deleted']),
privileges.posts.can('posts:view_deleted', toPid, uid),
]);
const toPidExists = !!toPost.pid;
if (!toPidExists || (toPost.deleted && !canViewToPid)) {
throw new Error('[[error:invalid-pid]]');
}
}
};

45
test/topics.js
View File

@@ -314,51 +314,6 @@ describe('Topic\'s', () => {
});
});
it('should fail to create new reply with toPid that has been purged', async () => {
const { postData } = await topics.post({
uid: topic.userId,
cid: topic.categoryId,
title: utils.generateUUID(),
content: utils.generateUUID(),
});
await posts.purge(postData.pid, topic.userId);
await assert.rejects(
topics.reply({ uid: topic.userId, content: 'test post', tid: postData.topic.tid, toPid: postData.pid }),
{ message: '[[error:invalid-pid]]' }
);
});
it('should fail to create a new reply with toPid that has been deleted (user cannot view_deleted)', async () => {
const { postData } = await topics.post({
uid: topic.userId,
cid: topic.categoryId,
title: utils.generateUUID(),
content: utils.generateUUID(),
});
await posts.delete(postData.pid, topic.userId);
const uid = await User.create({ username: utils.generateUUID().slice(0, 10) });
await assert.rejects(
topics.reply({ uid, content: 'test post', tid: postData.topic.tid, toPid: postData.pid }),
{ message: '[[error:invalid-pid]]' }
);
});
it('should properly create a new reply with toPid that has been deleted (user\'s own deleted post)', async () => {
const { postData } = await topics.post({
uid: topic.userId,
cid: topic.categoryId,
title: utils.generateUUID(),
content: utils.generateUUID(),
});
await posts.delete(postData.pid, topic.userId);
const uid = await User.create({ username: utils.generateUUID().slice(0, 10) });
const { pid } = await topics.reply({ uid: topic.userId, content: 'test post', tid: postData.topic.tid, toPid: postData.pid });
assert(pid);
});
it('should delete nested relies properly', async () => {
const result = await topics.post({ uid: fooUid, title: 'nested test', content: 'main post', cid: topic.categoryId });
const reply1 = await topics.reply({ uid: fooUid, content: 'reply post 1', tid: result.topicData.tid });