closes #5394

dont allow socket.emits during maintenance mode

src/middleware/maintenance.js

@@ -12,33 +12,7 @@ module.exports = function (middleware) {
 		}
 		var url = req.url.replace(nconf.get('relative_path'), '');
 
-		var allowedRoutes = [
+		if (url.startsWith('/login') || url.startsWith('/api/login')) {
-			'^/ping',
-			'^/sping',
-			'^/login',
-			'^/stylesheet.css',
-			'^/favicon',
-			'^/nodebb.min.js',
-			'^/vendor/fontawesome/fonts/fontawesome-webfont.woff',
-			'^/src/(modules|client)/[\\w/]+.js',
-			'^/templates/[\\w/]+.tpl',
-			'^/api/login',
-			'^/api/widgets/render',
-			'^/public/language',
-			'^/uploads/system/site-logo.png'
-		];
-
-		var isAllowed = function (url) {
-			for(var x = 0,numAllowed = allowedRoutes.length,route; x < numAllowed; x++) {
-				route = new RegExp(allowedRoutes[x]);
-				if (route.test(url)) {
-					return true;
-				}
-			}
-			return false;
-		};
-
-		if (isAllowed(url)) {
 			return next();
 		}
 

src/middleware/ratelimit.js

@@ -3,7 +3,7 @@
 'use strict';
 var winston = require('winston');
 
-var ratelimit = {};
+var ratelimit = module.exports;
 
 var allowedCalls = 100;
 var timeframe = 10000;
@@ -31,5 +31,3 @@ ratelimit.isFlooding = function (socket) {
 	socket.lastCallTime = now;
 	return false;
 };
-
-module.exports = ratelimit;

src/routes/api.js

@@ -29,12 +29,13 @@ module.exports =  function (app, middleware, controllers) {
 
 	var multipart = require('connect-multiparty');
 	var multipartMiddleware = multipart();
-	var middlewares = [multipartMiddleware, middleware.validateFiles, middleware.applyCSRF];
+	var middlewares = [middleware.maintenanceMode, multipartMiddleware, middleware.validateFiles, middleware.applyCSRF];
 	router.post('/post/upload', middlewares, uploadsController.uploadPost);
 	router.post('/topic/thumb/upload', middlewares, uploadsController.uploadThumb);
 	router.post('/user/:userslug/uploadpicture', middlewares.concat([middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadPicture);
 
 	router.post('/user/:userslug/uploadcover', middlewares.concat([middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadCoverPicture);
 	router.post('/groups/uploadpicture', middlewares.concat([middleware.authenticate]), controllers.groups.uploadCover);
+
 };
 

src/routes/feeds.js

@@ -365,12 +365,12 @@ function sendFeed(feed, res) {
 }
 
 module.exports = function (app, middleware, controllers) {
-	app.get('/topic/:topic_id.rss', generateForTopic);
+	app.get('/topic/:topic_id.rss', middleware.maintenanceMode, generateForTopic);
-	app.get('/category/:category_id.rss', generateForCategory);
+	app.get('/category/:category_id.rss', middleware.maintenanceMode, generateForCategory);
-	app.get('/recent.rss', generateForRecent);
+	app.get('/recent.rss', middleware.maintenanceMode, generateForRecent);
-	app.get('/popular.rss', generateForPopular);
+	app.get('/popular.rss', middleware.maintenanceMode, generateForPopular);
-	app.get('/popular/:term.rss', generateForPopular);
+	app.get('/popular/:term.rss', middleware.maintenanceMode, generateForPopular);
-	app.get('/recentposts.rss', generateForRecentPosts);
+	app.get('/recentposts.rss', middleware.maintenanceMode, generateForRecentPosts);
-	app.get('/category/:category_id/recentposts.rss', generateForCategoryRecentPosts);
+	app.get('/category/:category_id/recentposts.rss', middleware.maintenanceMode, generateForCategoryRecentPosts);
-	app.get('/user/:userslug/topics.rss', generateForUserTopics);
+	app.get('/user/:userslug/topics.rss', middleware.maintenanceMode, generateForUserTopics);
 };

src/routes/helpers.js

@@ -3,7 +3,7 @@
 var helpers = {};
 
 helpers.setupPageRoute = function (router, name, middleware, middlewares, controller) {
-	middlewares = middlewares.concat([middleware.registrationComplete, middleware.pageView, middleware.pluginHooks]);
+	middlewares = middlewares.concat([middleware.maintenanceMode, middleware.registrationComplete, middleware.pageView, middleware.pluginHooks]);
 
 	router.get(name, middleware.busyCheck, middleware.buildHeader, middlewares, controller);
 	router.get('/api' + name, middlewares, controller);

src/routes/index.js

@@ -117,8 +117,6 @@ module.exports = function (app, middleware, hotswapIds) {
 	app.all(relativePath + '(/api/admin|/api/admin/*?)', middleware.isAdmin);
 	app.all(relativePath + '(/admin|/admin/*?)', ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login?local=1'), middleware.applyCSRF, middleware.isAdmin);
 
-	app.use(middleware.maintenanceMode);
-
 	adminRoutes(router, middleware, controllers);
 	metaRoutes(router, middleware, controllers);
 	apiRoutes(router, middleware, controllers);

src/socket.io/index.js

@@ -7,13 +7,16 @@ var url = require('url');
 var cookieParser = require('cookie-parser')(nconf.get('secret'));
 
 var db = require('../database');
+var user = require('../user');
 var logger = require('../logger');
 var ratelimit = require('../middleware/ratelimit');
 
-(function (Sockets) {
+
 var Namespaces = {};
 var io;
 
+var Sockets = module.exports;
+
 Sockets.init = function (server) {
 	requireModules();
 
@@ -104,6 +107,9 @@ var ratelimit = require('../middleware/ratelimit');
 	}
 
 	async.waterfall([
+		function (next) {
+			checkMaintenance(socket, next);
+		},
 		function (next) {
 			validateSession(socket, next);
 		},
@@ -132,6 +138,18 @@ var ratelimit = require('../middleware/ratelimit');
 	});
 }
 
+function checkMaintenance(socket, callback) {
+	var meta = require('../meta');
+	if (parseInt(meta.config.maintenanceMode, 10) !== 1) {
+		return setImmediate(callback);
+	}
+	user.isAdministrator(socket.uid, function (err, isAdmin) {
+		if (err || isAdmin) {
+			return callback(err);
+		}
+	});
+}
+
 function validateSession(socket, callback) {
 	var req = socket.request;
 	if (!req.signedCookies || !req.signedCookies[nconf.get('sessionKey')]) {
@@ -226,4 +244,4 @@ var ratelimit = require('../middleware/ratelimit');
 	};
 };
 
-}(exports));
+