updated revoke session middleware to allow self or admin or global mod invocation, tweaked tests a bit

2025-10-29 10:06:13 +01:00 · 2016-12-02 10:50:42 -05:00
parent aad9a39f02
commit 33ff5e09bb
5 changed files with 14 additions and 9 deletions
--- a/src/controllers/accounts/helpers.js
+++ b/src/controllers/accounts/helpers.js
@@ -107,6 +107,7 @@ helpers.getUserDataByUserSlug = function (userslug, callerUID, callback) {
 			userData.isModerator = isModerator;
 			userData.isAdminOrGlobalModerator = isAdmin || isGlobalModerator;
 			userData.isAdminOrGlobalModeratorOrModerator = isAdmin || isGlobalModerator || isModerator;
 			userData.isSelfOrAdminOrGlobalModerator = isSelf || isAdmin || isGlobalModerator;
 			userData.canEdit = isAdmin || (isGlobalModerator && !results.isTargetAdmin);
 			userData.canBan = isAdmin || (isGlobalModerator && !results.isTargetAdmin);
 			userData.canChangePassword = isAdmin || (isSelf && parseInt(meta.config['password:disableEdit'], 10) !== 1);
--- a/src/controllers/accounts/session.js
+++ b/src/controllers/accounts/session.js
@@ -13,13 +13,9 @@ sessionController.revoke = function (req, res, next) {
 	}
 	var _id;
-	var uid;
+	var uid = res.locals.uid;
 	async.waterfall([
 		function (next) {
 			user.getUidByUserslug(req.params.userslug, next);
 		},
 		function (_uid, next) {
 			uid = _uid;
 			if (!uid) {
 				return next(new Error('[[error:no-session-found]]'));
 			}
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -49,8 +49,16 @@ middleware.authenticate = function (req, res, next) {
 	controllers.helpers.notAllowed(req, res);
 };
-middleware.ensureGlobalPrivilege = function (req, res, next) {
+middleware.ensureSelfOrGlobalPrivilege = function (req, res, next) {
 	/*
 		The "self" part of this middleware hinges on you having used
 		middleware.exposeUid prior to invoking this middleware.
 	*/
 	if (req.user) {
 		if (req.user.uid === res.locals.uid) {
 			return next();
 		}
 		user.isAdminOrGlobalMod(req.uid, function (err, ok) {
 			if (err) {
 				return next(err);
--- a/src/routes/accounts.js
+++ b/src/routes/accounts.js
@@ -28,7 +28,7 @@ module.exports = function (app, middleware, controllers) {
 	setupPageRoute(app, '/user/:userslug/info', middleware, accountMiddlewares, controllers.accounts.info.get);
 	setupPageRoute(app, '/user/:userslug/settings', middleware, accountMiddlewares, controllers.accounts.settings.get);
-	app.delete('/api/user/:userslug/session/:uuid', [middleware.ensureGlobalPrivilege], controllers.accounts.session.revoke);
+	app.delete('/api/user/:userslug/session/:uuid', [middleware.exposeUid, middleware.ensureSelfOrGlobalPrivilege], controllers.accounts.session.revoke);
 	setupPageRoute(app, '/notifications', middleware, [middleware.authenticate], controllers.accounts.notifications.get);
 	setupPageRoute(app, '/user/:userslug/chats/:roomid?', middleware, middlewares, controllers.accounts.chats.get);
--- a/test/controllers.js
+++ b/test/controllers.js
@@ -533,8 +533,8 @@ describe('Controllers', function () {
 				}
 			}, function (err, res, body) {
 				assert.ifError(err);
-				assert.equal(res.statusCode, 500);
+				assert.equal(res.statusCode, 403);
-				assert.equal(body, '[[error:no-session-found]]');
+				assert.equal(body, '{"path":"/user/doesnotexist/session/1112233","loggedIn":true,"title":"[[global:403.title]]"}');
 				done();
 			});
 		});