Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-01 03:26:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: if editing password is disabled in ACP, prevent direct access via route/socket (related: #7576)

Browse Source
This commit is contained in:
Andrew Rodrigues
2019-05-09 15:50:51 -04:00
parent cf5aeace6b
commit e114b16d7a
2 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/controllers/accounts/edit.js
View File

@@ -98,8 +98,8 @@ function renderRoute(name, req, res, next) {
return next(); return next();
} }
if ((name === 'username' && userData['username:disableEdit']) || (name === 'email' && userData['email:disableEdit'])) { if (meta.config[name + ':disableEdit'] && !userData.isAdmin) {
return next(); return helpers.notAllowed(req, res);
} }
if (name === 'password') { if (name === 'password') {

15
src/user/profile.js
View File

@@ -319,11 +319,18 @@ module.exports = function (User) {
User.isPasswordValid(data.newPassword, next); User.isPasswordValid(data.newPassword, next);
}, },
function (next) { function (next) {
if (parseInt(uid, 10) !== parseInt(data.uid, 10)) { User.isAdministrator(uid, next);
User.isAdministrator(uid, next); },
} else { function (isAdmin, next) {
User.isPasswordCorrect(uid, data.currentPassword, data.ip, next); if (meta.config['password:disableEdit'] && !isAdmin) {
return next(new Error('[[error:no-privileges]]'));
} }
if (isAdmin && parseInt(uid, 10) !== parseInt(data.uid, 10)) {
return next(null, true);
}
User.isPasswordCorrect(uid, data.currentPassword, data.ip, next);
}, },
function (isAdminOrPasswordMatch, next) { function (isAdminOrPasswordMatch, next) {
if (!isAdminOrPasswordMatch) { if (!isAdminOrPasswordMatch) {