Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-29 18:16:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: if editing password is disabled in ACP, prevent direct access via route/socket (related: #7576)

Browse Source
This commit is contained in:
Andrew Rodrigues
2019-05-09 15:50:51 -04:00
parent cf5aeace6b
commit e114b16d7a
2 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/controllers/accounts/edit.js
View File

@@ -98,8 +98,8 @@ function renderRoute(name, req, res, next) {
return next();
}
if ((name === 'username' && userData['username:disableEdit']) || (name === 'email' && userData['email:disableEdit'])) {
return next();
if (meta.config[name + ':disableEdit'] && !userData.isAdmin) {
return helpers.notAllowed(req, res);
}
if (name === 'password') {

15
src/user/profile.js
View File

@@ -319,11 +319,18 @@ module.exports = function (User) {
User.isPasswordValid(data.newPassword, next);
},
function (next) {
if (parseInt(uid, 10) !== parseInt(data.uid, 10)) {
User.isAdministrator(uid, next);
} else {
User.isPasswordCorrect(uid, data.currentPassword, data.ip, next);
User.isAdministrator(uid, next);
},
function (isAdmin, next) {
if (meta.config['password:disableEdit'] && !isAdmin) {
return next(new Error('[[error:no-privileges]]'));
}
if (isAdmin && parseInt(uid, 10) !== parseInt(data.uid, 10)) {
return next(null, true);
}
User.isPasswordCorrect(uid, data.currentPassword, data.ip, next);
},
function (isAdminOrPasswordMatch, next) {
if (!isAdminOrPasswordMatch) {