dont add category/topic slug if user doesnt have read permission

or category is disabled etc.
2025-11-07 14:35:47 +01:00 · 2015-04-08 21:16:06 -04:00
parent 0c851d864e
commit 835d4db481
4 changed files with 12 additions and 25 deletions
--- a/src/controllers/categories.js
+++ b/src/controllers/categories.js
@@ -188,7 +188,7 @@ categoriesController.get = function(req, res, next) {
 				return helpers.notFound(req, res);
 			}
-			if (cid + '/' + req.params.slug !== results.categoryData.slug) {
+			if (req.params.slug && cid + '/' + req.params.slug !== results.categoryData.slug) {
 				return helpers.notFound(req, res);
 			}
@@ -196,6 +196,10 @@ categoriesController.get = function(req, res, next) {
 				return helpers.notAllowed(req, res);
 			}
 			if (!req.params.slug && results.categoryData.slug && results.categoryData.slug !== cid + '/') {
 				return helpers.redirect(res, '/category/' + encodeURI(results.categoryData.slug));
 			}
 			var topicIndex = utils.isNumber(req.params.topic_index) ? parseInt(req.params.topic_index, 10) - 1 : 0;
 			var topicCount = parseInt(results.categoryData.topic_count, 10);
--- a/src/controllers/topics.js
+++ b/src/controllers/topics.js
@@ -43,7 +43,7 @@ topicsController.get = function(req, res, next) {
 		function (results, next) {
 			userPrivileges = results.privileges;
-			if (userPrivileges.disabled || tid + '/' + req.params.slug !== results.topic.slug) {
+			if (userPrivileges.disabled || (req.params.slug && tid + '/' + req.params.slug !== results.topic.slug)) {
 				return helpers.notFound(req, res);
 			}
@@ -51,6 +51,10 @@ topicsController.get = function(req, res, next) {
 				return helpers.notAllowed(req, res);
 			}
 			if (!req.params.slug && results.topic.slug && results.topic.slug !== tid + '/') {
 				return helpers.redirect(res, '/topic/' + encodeURI(results.topic.slug));
 			}
 			var settings = results.settings;
 			var postCount = parseInt(results.topic.postcount, 10);
 			var pageCount = Math.max(1, Math.ceil((postCount - 1) / settings.postsPerPage));
--- a/src/middleware/middleware.js
+++ b/src/middleware/middleware.js
@@ -84,27 +84,6 @@ middleware.redirectToLoginIfGuest = function(req, res, next) {
 	}
 };
 middleware.addSlug = function(req, res, next) {
 	function redirect(method, id, name) {
 		method(id, 'slug', function(err, slug) {
 			if (err || !slug || slug === id + '/') {
 				return next(err);
 			}
 			controllers.helpers.redirect(res, name + encodeURI(slug));
 		});
 	}
 	if (!req.params.slug) {
 		if (req.params.category_id) {
 			return redirect(categories.getCategoryField, req.params.category_id, '/category/');
 		} else if (req.params.topic_id) {
 			return redirect(topics.getTopicField, req.params.topic_id, '/topic/');
 		}
 	}
 	next();
 };
 middleware.validateFiles = function(req, res, next) {
 	if (!Array.isArray(req.files.files) || !req.files.files.length) {
 		return next(new Error(['[[error:invalid-files]]']));
--- a/src/routes/index.js
+++ b/src/routes/index.js
@@ -42,7 +42,7 @@ function topicRoutes(app, middleware, controllers) {
 	app.get('/api/topic/teaser/:topic_id', controllers.topics.teaser);
 	setupPageRoute(app, '/topic/:topic_id/:slug/:post_index?', middleware, [], controllers.topics.get);
-	setupPageRoute(app, '/topic/:topic_id/:slug?', middleware, [middleware.addSlug], controllers.topics.get);
+	setupPageRoute(app, '/topic/:topic_id/:slug?', middleware, [], controllers.topics.get);
 }
 function tagRoutes(app, middleware, controllers) {
@@ -58,7 +58,7 @@ function categoryRoutes(app, middleware, controllers) {
 	app.get('/api/unread/total', middleware.authenticate, controllers.categories.unreadTotal);
 	setupPageRoute(app, '/category/:category_id/:slug/:topic_index', middleware, [], controllers.categories.get);
-	setupPageRoute(app, '/category/:category_id/:slug?', middleware, [middleware.addSlug], controllers.categories.get);
+	setupPageRoute(app, '/category/:category_id/:slug?', middleware, [], controllers.categories.get);
 }
 function accountRoutes(app, middleware, controllers) {