Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 08:36:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: #9945, call authenticateRequest middleware for mount points in /api

Browse Source
This commit is contained in:
Julian Lam
2021-10-29 10:56:03 -04:00
parent d8d5f416cc
commit 6a976a9db0
1 changed files with 24 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
src/routes/api.js
View File

@@ -6,29 +6,30 @@ const uploadsController = require('../controllers/uploads');
const helpers = require('./helpers'); const helpers = require('./helpers');
module.exports = function (app, middleware, controllers) { module.exports = function (app, middleware, controllers) {
const middlewares = [middleware.authenticateRequest];
const router = express.Router(); const router = express.Router();
app.use('/api', router); app.use('/api', router);
router.get('/config', middleware.applyCSRF, middleware.authenticateRequest, helpers.tryRoute(controllers.api.getConfig)); router.get('/config', [...middlewares, middleware.applyCSRF], helpers.tryRoute(controllers.api.getConfig));
router.get('/self', helpers.tryRoute(controllers.user.getCurrentUser)); router.get('/self', [...middlewares], helpers.tryRoute(controllers.user.getCurrentUser));
router.get('/user/uid/:uid', middleware.canViewUsers, helpers.tryRoute(controllers.user.getUserByUID)); router.get('/user/uid/:uid', [...middlewares, middleware.canViewUsers], helpers.tryRoute(controllers.user.getUserByUID));
router.get('/user/username/:username', middleware.canViewUsers, helpers.tryRoute(controllers.user.getUserByUsername)); router.get('/user/username/:username', [...middlewares, middleware.canViewUsers], helpers.tryRoute(controllers.user.getUserByUsername));
router.get('/user/email/:email', middleware.canViewUsers, helpers.tryRoute(controllers.user.getUserByEmail)); router.get('/user/email/:email', [...middlewares, middleware.canViewUsers], helpers.tryRoute(controllers.user.getUserByEmail));
router.get('/user/uid/:userslug/export/posts', middleware.authenticateRequest, middleware.ensureLoggedIn, middleware.checkAccountPermissions, middleware.exposeUid, helpers.tryRoute(controllers.user.exportPosts)); router.get('/user/uid/:userslug/export/posts', [...middlewares, middleware.authenticateRequest, middleware.ensureLoggedIn, middleware.checkAccountPermissions, middleware.exposeUid], helpers.tryRoute(controllers.user.exportPosts));
router.get('/user/uid/:userslug/export/uploads', middleware.authenticateRequest, middleware.ensureLoggedIn, middleware.checkAccountPermissions, middleware.exposeUid, helpers.tryRoute(controllers.user.exportUploads)); router.get('/user/uid/:userslug/export/uploads', [...middlewares, middleware.authenticateRequest, middleware.ensureLoggedIn, middleware.checkAccountPermissions, middleware.exposeUid], helpers.tryRoute(controllers.user.exportUploads));
router.get('/user/uid/:userslug/export/profile', middleware.authenticateRequest, middleware.ensureLoggedIn, middleware.checkAccountPermissions, middleware.exposeUid, helpers.tryRoute(controllers.user.exportProfile)); router.get('/user/uid/:userslug/export/profile', [...middlewares, middleware.authenticateRequest, middleware.ensureLoggedIn, middleware.checkAccountPermissions, middleware.exposeUid], helpers.tryRoute(controllers.user.exportProfile));
router.get('/categories/:cid/moderators', helpers.tryRoute(controllers.api.getModerators)); router.get('/categories/:cid/moderators', [...middlewares], helpers.tryRoute(controllers.api.getModerators));
router.get('/recent/posts/:term?', helpers.tryRoute(controllers.posts.getRecentPosts)); router.get('/recent/posts/:term?', [...middlewares], helpers.tryRoute(controllers.posts.getRecentPosts));
router.get('/unread/total', middleware.authenticateRequest, middleware.ensureLoggedIn, helpers.tryRoute(controllers.unread.unreadTotal)); router.get('/unread/total', [...middlewares, middleware.ensureLoggedIn], helpers.tryRoute(controllers.unread.unreadTotal));
router.get('/topic/teaser/:topic_id', helpers.tryRoute(controllers.topics.teaser)); router.get('/topic/teaser/:topic_id', [...middlewares], helpers.tryRoute(controllers.topics.teaser));
router.get('/topic/pagination/:topic_id', helpers.tryRoute(controllers.topics.pagination)); router.get('/topic/pagination/:topic_id', [...middlewares], helpers.tryRoute(controllers.topics.pagination));
const multipart = require('connect-multiparty'); const multipart = require('connect-multiparty');
const multipartMiddleware = multipart(); const multipartMiddleware = multipart();
const middlewares = [ const postMiddlewares = [
middleware.maintenanceMode, middleware.maintenanceMode,
multipartMiddleware, multipartMiddleware,
middleware.validateFiles, middleware.validateFiles,
@@ -37,13 +38,13 @@ module.exports = function (app, middleware, controllers) {
]; ];
router.post('/post/upload', middlewares, helpers.tryRoute(uploadsController.uploadPost)); router.post('/post/upload', middlewares, helpers.tryRoute(uploadsController.uploadPost));
router.post('/user/:userslug/uploadpicture', router.post('/user/:userslug/uploadpicture', [
middlewares.concat([ ...middlewares,
middleware.exposeUid, ...postMiddlewares,
middleware.authenticateRequest, middleware.exposeUid,
middleware.ensureLoggedIn, middleware.authenticateRequest,
middleware.canViewUsers, middleware.ensureLoggedIn,
middleware.checkAccountPermissions, middleware.canViewUsers,
]), middleware.checkAccountPermissions,
helpers.tryRoute(controllers.accounts.edit.uploadPicture)); ], helpers.tryRoute(controllers.accounts.edit.uploadPicture));
}; };