Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-02 12:05:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

closes #2117

Browse Source
This commit is contained in:
barisusakli
2014-09-24 15:42:45 -04:00
parent 5d344b3dac
commit da64eb0873
3 changed files with 21 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/controllers/categories.js
View File

@@ -95,8 +95,8 @@ categoriesController.get = function(req, res, next) {
exists: function(next) {
categories.exists(cid, next);
},
disabled: function(next) {
categories.getCategoryField(cid, 'disabled', next);
categoryData: function(next) {
categories.getCategoryFields(cid, ['slug', 'disabled'], next);
},
privileges: function(next) {
privileges.categories.get(cid, uid, next);
@@ -107,7 +107,11 @@ categoriesController.get = function(req, res, next) {
}, next);
},
function(results, next) {
if (!results.exists || parseInt(results.disabled, 10) === 1) {
if (!results.exists || (results.categoryData && parseInt(results.categoryData.disabled, 10) === 1)) {
return categoriesController.notFound(req, res);
}
if (cid + '/' + req.params.slug !== results.categoryData.slug) {
return categoriesController.notFound(req, res);
}
@@ -218,13 +222,13 @@ categoriesController.get = function(req, res, next) {
};
categoriesController.notFound = function(req, res) {
res.locals.isAPI ? res.json(404, 'not-found') : res.redirect(nconf.get('relative_path') + '/404');
res.locals.isAPI ? res.json(404, 'not-found') : res.status(404).render('404');
};
categoriesController.notAllowed = function(req, res) {
var uid = req.user ? req.user.uid : 0;
if (uid) {
res.locals.isAPI ? res.json(403, 'not-allowed') : res.redirect(nconf.get('relative_path') + '/403');
res.locals.isAPI ? res.json(403, 'not-allowed') : res.status(403).render('403');
} else {
if (res.locals.isAPI) {
res.json(401, 'not-authorized');

11
src/controllers/topics.js
View File

@@ -21,6 +21,10 @@ topicsController.get = function(req, res, next) {
uid = req.user ? req.user.uid : 0,
userPrivileges;
if (req.params.post_index && !utils.isNumber(req.params.post_index)) {
return categoriesController.notFound(req, res);
}
async.waterfall([
function (next) {
async.parallel({
@@ -32,6 +36,9 @@ topicsController.get = function(req, res, next) {
},
settings: function(next) {
user.getSettings(uid, next);
},
slug: function(next) {
topics.getTopicField(tid, 'slug', next);
}
}, next);
},
@@ -55,6 +62,10 @@ topicsController.get = function(req, res, next) {
return categoriesController.notFound(req, res);
}
if (tid + '/' + req.params.slug !== results.slug) {
return categoriesController.notFound(req, res);
}
if (!userPrivileges.read) {
return categoriesController.notAllowed(req, res);
}

2
src/routes/index.js
View File

@@ -55,7 +55,7 @@ function categoryRoutes(app, middleware, controllers) {
app.get('/api/unread/total', middleware.authenticate, controllers.categories.unreadTotal);
setupPageRoute(app, '/category/:category_id/:slug/:topic_index', middleware, [middleware.applyCSRF, middleware.checkTopicIndex], controllers.categories.get);
setupPageRoute(app, '/category/:category_id/:slug?', middleware, [middleware.applyCSRF, middleware.addSlug], controllers.categories.get);
setupPageRoute(app, '/category/:category_id/:slug', middleware, [middleware.applyCSRF, middleware.addSlug], controllers.categories.get);
}
function accountRoutes(app, middleware, controllers) {