Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-31 11:05:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: #12025, validity checking on user-provided toPid value

Browse Source
This commit is contained in:
Julian Lam
2023-09-21 17:05:45 -04:00
parent 650510669f
commit fe42fd4ebc
1 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/posts/create.js
View File

@@ -9,6 +9,7 @@ const user = require('../user');
const topics = require('../topics');
const categories = require('../categories');
const groups = require('../groups');
const privileges = require('../privileges');
const utils = require('../utils');
module.exports = function (Posts) {
@@ -24,8 +25,17 @@ module.exports = function (Posts) {
throw new Error('[[error:invalid-uid]]');
}
if (data.toPid && !utils.isNumber(data.toPid)) {
throw new Error('[[error:invalid-pid]]');
if (data.toPid) {
const toPidExists = await Posts.exists(data.toPid);
const toPidDeleted = await Posts.getPostField(data.toPid, 'deleted');
const canViewToPid = await privileges.posts.can('posts:view_deleted', data.toPid, uid);
if (
!utils.isNumber(data.toPid) || !toPidExists ||
(toPidDeleted && !canViewToPid)
) {
throw new Error('[[error:invalid-pid]]');
}
}
const pid = await db.incrObjectField('global', 'nextPid');