Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-10 07:55:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: #7494

Browse Source
This commit is contained in:
Baris Usakli
2019-03-26 12:24:28 -04:00
parent 63e16ec0a2
commit 8f55ab1340
3 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/middleware/user.js
View File

@@ -93,6 +93,9 @@ module.exports = function (middleware) {
}; };
middleware.canViewUsers = function canViewUsers(req, res, next) { middleware.canViewUsers = function canViewUsers(req, res, next) {
if (parseInt(res.locals.uid, 10) === req.uid) {
return next();
}
privileges.global.can('view:users', req.uid, function (err, canView) { privileges.global.can('view:users', req.uid, function (err, canView) {
if (err || canView) { if (err || canView) {
return next(err); return next(err);

4
src/routes/accounts.js
View File

@@ -4,8 +4,8 @@ var helpers = require('./helpers');
var setupPageRoute = helpers.setupPageRoute; var setupPageRoute = helpers.setupPageRoute;
module.exports = function (app, middleware, controllers) { module.exports = function (app, middleware, controllers) {
var middlewares = [middleware.canViewUsers, middleware.exposeUid]; var middlewares = [middleware.exposeUid, middleware.canViewUsers];
var accountMiddlewares = [middleware.canViewUsers, middleware.checkAccountPermissions, middleware.exposeUid]; var accountMiddlewares = [middleware.exposeUid, middleware.canViewUsers, middleware.checkAccountPermissions];
setupPageRoute(app, '/me/*', middleware, [], middleware.redirectMeToUserslug); setupPageRoute(app, '/me/*', middleware, [], middleware.redirectMeToUserslug);
setupPageRoute(app, '/uid/:uid*', middleware, [], middleware.redirectUidToUserslug); setupPageRoute(app, '/uid/:uid*', middleware, [], middleware.redirectUidToUserslug);

6
src/routes/api.js
View File

@@ -16,7 +16,7 @@ module.exports = function (app, middleware, controllers) {
} }
}, controllers.api.getConfig); }, controllers.api.getConfig);
router.get('/me', middleware.canViewUsers, controllers.user.getCurrentUser); router.get('/me', controllers.user.getCurrentUser);
router.get('/user/uid/:uid', middleware.canViewUsers, controllers.user.getUserByUID); router.get('/user/uid/:uid', middleware.canViewUsers, controllers.user.getUserByUID);
router.get('/user/username/:username', middleware.canViewUsers, controllers.user.getUserByUsername); router.get('/user/username/:username', middleware.canViewUsers, controllers.user.getUserByUsername);
router.get('/user/email/:email', middleware.canViewUsers, controllers.user.getUserByEmail); router.get('/user/email/:email', middleware.canViewUsers, controllers.user.getUserByEmail);
@@ -40,8 +40,8 @@ module.exports = function (app, middleware, controllers) {
var middlewares = [middleware.maintenanceMode, multipartMiddleware, middleware.validateFiles, middleware.applyCSRF]; var middlewares = [middleware.maintenanceMode, multipartMiddleware, middleware.validateFiles, middleware.applyCSRF];
router.post('/post/upload', middlewares, uploadsController.uploadPost); router.post('/post/upload', middlewares, uploadsController.uploadPost);
router.post('/topic/thumb/upload', middlewares, uploadsController.uploadThumb); router.post('/topic/thumb/upload', middlewares, uploadsController.uploadThumb);
router.post('/user/:userslug/uploadpicture', middlewares.concat([middleware.authenticate, middleware.canViewUsers, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadPicture); router.post('/user/:userslug/uploadpicture', middlewares.concat([middleware.exposeUid, middleware.authenticate, middleware.canViewUsers, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadPicture);
router.post('/user/:userslug/uploadcover', middlewares.concat([middleware.authenticate, middleware.canViewUsers, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadCoverPicture); router.post('/user/:userslug/uploadcover', middlewares.concat([middleware.exposeUid, middleware.authenticate, middleware.canViewUsers, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadCoverPicture);
router.post('/groups/uploadpicture', middlewares.concat([middleware.authenticate]), controllers.groups.uploadCover); router.post('/groups/uploadpicture', middlewares.concat([middleware.authenticate]), controllers.groups.uploadCover);
}; };