Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 08:36:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: core work for #9042, thumb deletion now accepts uuids

Browse Source 
+ common data validation for thumb addition and deletion
This commit is contained in:
Julian Lam
2020-12-03 16:48:57 -05:00
parent 1f0c1cd229
commit b5d910f53b
3 changed files with 26 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
src/controllers/write/topics.js
View File

@@ -95,18 +95,9 @@ Topics.getThumbs = async (req, res) => {
};
Topics.addThumb = async (req, res) => {
// req.params.tid could be either a tid (pushing a new thumb to an existing topic) or a post UUID (a new topic being composed)
const id = req.params.tid;
const isUUID = validator.isUUID(id);
// Sanity-check the tid if it's strictly not a uuid
if (!isUUID && (isNaN(parseInt(id, 10)) || !await topics.exists(req.params.tid))) {
return helpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
}
// While drafts are not protected, tids are
if (!isUUID && !await privileges.topics.canEdit(req.params.tid, req.user.uid)) {
return helpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]'));
await checkThumbPrivileges(req, res);
if (res.headersSent) {
return;
}
/**
@@ -122,15 +113,31 @@ Topics.addThumb = async (req, res) => {
// Add uploaded files to topic zset
await Promise.all(files.map(async (fileObj) => {
await topics.thumbs.associate(id, fileObj.path);
await topics.thumbs.associate(req.params.tid, fileObj.path);
}));
};
Topics.deleteThumb = async (req, res) => {
if (!await privileges.topics.canEdit(req.params.tid, req.user.uid)) {
return helpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]'));
await checkThumbPrivileges(req, res);
if (res.headersSent) {
return;
}
await topics.thumbs.delete(req.params.tid, req.body.path);
helpers.formatApiResponse(200, res, await topics.thumbs.get(req.params.tid));
};
async function checkThumbPrivileges(req, res) {
// req.params.tid could be either a tid (pushing a new thumb to an existing topic) or a post UUID (a new topic being composed)
const isUUID = validator.isUUID(req.params.tid);
// Sanity-check the tid if it's strictly not a uuid
if (!isUUID && (isNaN(parseInt(req.params.tid, 10)) || !await topics.exists(req.params.tid))) {
return helpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
}
// While drafts are not protected, tids are
if (!isUUID && !await privileges.topics.canEdit(req.params.tid, req.user.uid)) {
return helpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]'));
}
}

2
src/routes/write/topics.js
View File

@@ -36,7 +36,7 @@ module.exports = function () {
setupApiRoute(router, 'get', '/:tid/thumbs', [], controllers.write.topics.getThumbs);
setupApiRoute(router, 'post', '/:tid/thumbs', [multipartMiddleware, middleware.validateFiles, ...middlewares], controllers.write.topics.addThumb);
setupApiRoute(router, 'delete', '/:tid/thumbs', [...middlewares, middleware.assert.topic, middleware.assert.path], controllers.write.topics.deleteThumb);
setupApiRoute(router, 'delete', '/:tid/thumbs', [...middlewares, middleware.assert.path], controllers.write.topics.deleteThumb);
return router;
};

5
src/topics/thumbs.js
View File

@@ -53,9 +53,10 @@ Thumbs.commit = async function (uuid, tid) {
await db.delete(set);
};
Thumbs.delete = async function (tid, relativePath) {
Thumbs.delete = async function (id, relativePath) {
// TODO: tests
const set = `topic:${tid}:thumbs`;
const isDraft = validator.isUUID(String(id));
const set = `${isDraft ? 'draft' : 'topic'}:${id}:thumbs`;
const absolutePath = path.join(nconf.get('upload_path'), relativePath);
const [associated, existsOnDisk] = await Promise.all([
db.isSortedSetMember(set, relativePath),