fix: #7087, server-side protection against guest blocks

2025-10-26 16:46:12 +01:00 · 2018-12-10 14:14:11 -05:00
parent 6c312fa253
commit 33d4956b76
3 changed files with 22 additions and 12 deletions
--- a/public/language/en-GB/error.json
+++ b/public/language/en-GB/error.json
@@ -185,5 +185,8 @@

 	"cannot-block-self": "You cannot block yourself!",
 	"cannot-block-privileged": "You cannot block administrators or global moderators",
+	"cannot-block-guest": "Guest are not able to block other users",
+	"already-blocked": "This user is already blocked",
+	"already-unblocked": "This user is already unblocked",
 	"no-connection": "There seems to be a problem with your internet connection"
 }
--- a/src/socket.io/user/profile.js
+++ b/src/socket.io/user/profile.js
@@ -220,10 +220,6 @@ module.exports = function (SocketUser) {
 			},
 			function (results, next) {
 				isBlocked = results.is;
-				if (!results.can && !isBlocked) {
-					return next(new Error('[[error:cannot-block-privileged]]'));
-				}
-
 				user.blocks[isBlocked ? 'remove' : 'add'](data.blockeeUid, data.blockerUid, next);
 			},
 		], function (err) {
--- a/src/user/blocks.js
+++ b/src/user/blocks.js
@@ -23,7 +23,15 @@ module.exports = function (User) {
 	};

 	User.blocks.can = function (callerUid, blockerUid, blockeeUid, callback) {
+		// Guests can't block
+		if (blockerUid === 0 || blockeeUid === 0) {
+			return setImmediate(callback, new Error('[[error:cannot-block-guest]]'));
+		} else if (blockerUid === blockeeUid) {
+			return setImmediate(callback, new Error('[[error:cannot-block-self]]'));
+		}
+
 		// Administrators and global moderators cannot be blocked
+		// Only admins/mods can block users as another user
 		async.waterfall([
 			function (next) {
 				async.parallel({
@@ -37,12 +45,13 @@ module.exports = function (User) {
 			},
 			function (results, next) {
 				if (results.isBlockeeAdminOrMod) {
-					return callback(null, false);
+					return callback(new Error('[[error:cannot-block-privileged]]'));
 				}
 				if (parseInt(callerUid, 10) !== parseInt(blockerUid, 10) && !results.isCallerAdminOrMod) {
-					return callback(null, false);
+					return callback(new Error());
 				}
-				next(null, true);
+
+				next();
 			},
 		], callback);
 	};
@@ -94,13 +103,15 @@ module.exports = function (User) {
 	};

 	User.blocks.applyChecks = function (block, targetUid, uid, callback) {
-		if (parseInt(targetUid, 10) === parseInt(uid, 10)) {
-			return setImmediate(callback, new Error('[[error:cannot-block-self]]'));
+		User.blocks.can(uid, uid, targetUid, function (err) {
+			if (err) {
+				return callback(err);
 			}

 			User.blocks.is(targetUid, uid, function (err, is) {
 				callback(err || (is === block ? new Error('[[error:already-' + (block ? 'blocked' : 'unblocked') + ']]') : null));
 			});
+		});
 	};

 	User.blocks.filterUids = function (targetUid, uids, callback) {