Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: #7087, server-side protection against guest blocks

Browse Source
This commit is contained in:
Julian Lam
2018-12-10 14:14:11 -05:00
parent 6c312fa253
commit 33d4956b76
3 changed files with 22 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
public/language/en-GB/error.json
View File

@@ -185,5 +185,8 @@
"cannot-block-self": "You cannot block yourself!", "cannot-block-self": "You cannot block yourself!",
"cannot-block-privileged": "You cannot block administrators or global moderators", "cannot-block-privileged": "You cannot block administrators or global moderators",
"cannot-block-guest": "Guest are not able to block other users",
"already-blocked": "This user is already blocked",
"already-unblocked": "This user is already unblocked",
"no-connection": "There seems to be a problem with your internet connection" "no-connection": "There seems to be a problem with your internet connection"
} }

4
src/socket.io/user/profile.js
View File

@@ -220,10 +220,6 @@ module.exports = function (SocketUser) {
}, },
function (results, next) { function (results, next) {
isBlocked = results.is; isBlocked = results.is;
if (!results.can && !isBlocked) {
return next(new Error('[[error:cannot-block-privileged]]'));
}
user.blocks[isBlocked ? 'remove' : 'add'](data.blockeeUid, data.blockerUid, next); user.blocks[isBlocked ? 'remove' : 'add'](data.blockeeUid, data.blockerUid, next);
}, },
], function (err) { ], function (err) {

21
src/user/blocks.js
View File

@@ -23,7 +23,15 @@ module.exports = function (User) {
}; };
User.blocks.can = function (callerUid, blockerUid, blockeeUid, callback) { User.blocks.can = function (callerUid, blockerUid, blockeeUid, callback) {
// Guests can't block
if (blockerUid === 0 || blockeeUid === 0) {
return setImmediate(callback, new Error('[[error:cannot-block-guest]]'));
} else if (blockerUid === blockeeUid) {
return setImmediate(callback, new Error('[[error:cannot-block-self]]'));
}
// Administrators and global moderators cannot be blocked // Administrators and global moderators cannot be blocked
// Only admins/mods can block users as another user
async.waterfall([ async.waterfall([
function (next) { function (next) {
async.parallel({ async.parallel({
@@ -37,12 +45,13 @@ module.exports = function (User) {
}, },
function (results, next) { function (results, next) {
if (results.isBlockeeAdminOrMod) { if (results.isBlockeeAdminOrMod) {
return callback(null, false); return callback(new Error('[[error:cannot-block-privileged]]'));
} }
if (parseInt(callerUid, 10) !== parseInt(blockerUid, 10) && !results.isCallerAdminOrMod) { if (parseInt(callerUid, 10) !== parseInt(blockerUid, 10) && !results.isCallerAdminOrMod) {
return callback(null, false); return callback(new Error());
} }
next(null, true);
next();
}, },
], callback); ], callback);
}; };
@@ -94,13 +103,15 @@ module.exports = function (User) {
}; };
User.blocks.applyChecks = function (block, targetUid, uid, callback) { User.blocks.applyChecks = function (block, targetUid, uid, callback) {
if (parseInt(targetUid, 10) === parseInt(uid, 10)) { User.blocks.can(uid, uid, targetUid, function (err) {
return setImmediate(callback, new Error('[[error:cannot-block-self]]')); if (err) {
return callback(err);
} }
User.blocks.is(targetUid, uid, function (err, is) { User.blocks.is(targetUid, uid, function (err, is) {
callback(err || (is === block ? new Error('[[error:already-' + (block ? 'blocked' : 'unblocked') + ']]') : null)); callback(err || (is === block ? new Error('[[error:already-' + (block ? 'blocked' : 'unblocked') + ']]') : null));
}); });
});
}; };
User.blocks.filterUids = function (targetUid, uids, callback) { User.blocks.filterUids = function (targetUid, uids, callback) {