Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 08:36:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(writeapi): calls to profile editing routes 200 even if user DNE

Browse Source
This commit is contained in:
Julian Lam
2020-10-01 19:37:13 -04:00
parent 7757f965eb
commit 8e7baac6ef
2 changed files with 16 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/middleware/assert.js
View File

@@ -5,12 +5,21 @@
* payload and throw an error otherwise.
*/
const user = require('../user');
const groups = require('../groups');
const topics = require('../topics');
const helpers = require('../controllers/helpers');
module.exports = function (middleware) {
middleware.assertUser = async (req, res, next) => {
if (!await user.exists(req.params.uid)) {
return helpers.formatApiResponse(404, res, new Error('[[error:no-user]]'));
}
next();
};
middleware.assertGroup = async (req, res, next) => {
const name = await groups.getGroupNameByGroupSlug(req.params.slug);
if (!name || await groups.exists(name)) {

14
src/routes/write/users.js
View File

@@ -18,16 +18,16 @@ function authenticatedRoutes() {
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['username']), middleware.isAdmin], 'post', controllers.write.users.create);
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['uids']), middleware.isAdmin, middleware.exposePrivileges], 'delete', controllers.write.users.deleteMany);
setupApiRoute(router, '/:uid', middleware, [...middlewares], 'put', controllers.write.users.update);
setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.exposePrivileges], 'delete', controllers.write.users.delete);
setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assertUser], 'put', controllers.write.users.update);
setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'delete', controllers.write.users.delete);
setupApiRoute(router, '/:uid/password', middleware, [...middlewares, middleware.checkRequired.bind(null, ['newPassword'])], 'put', controllers.write.users.changePassword);
setupApiRoute(router, '/:uid/password', middleware, [...middlewares, middleware.checkRequired.bind(null, ['newPassword']), middleware.assertUser], 'put', controllers.write.users.changePassword);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares], 'put', controllers.write.users.follow);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares], 'delete', controllers.write.users.unfollow);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assertUser], 'put', controllers.write.users.follow);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assertUser], 'delete', controllers.write.users.unfollow);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.exposePrivileges], 'put', controllers.write.users.ban);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.exposePrivileges], 'delete', controllers.write.users.unban);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'put', controllers.write.users.ban);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'delete', controllers.write.users.unban);
/**
* Chat routes were not migrated because chats may get refactored... also the logic is derpy