Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-12-27 02:40:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
3c9a960e5edcf7c7fe470fc5741a706f6668dcad
NodeBB/src/middleware/assert.js
Barış Soner Uşaklı d20b07cfea Webpack5 (#10311) 
* feat: webpack 5 part 1

* fix: gruntfile fixes

* fix: fix taskbar warning

add app.importScript
copy public/src/modules to build folder

* refactor: remove commented old code

* feat: reenable admin

* fix: acp settings pages, fix sortable on manage categories

embedded require in html not allowed

* fix: bundle serialize/deserizeli so plugins dont break

* test: fixe util tests

* test: fix require path

* test: more test fixes

* test: require correct utils module

* test: require correct utils

* test: log stack

* test: fix db require blowing up tests

* test: move and disable bundle test

* refactor: add aliases

* test: disable testing route

* fix: move webpack modules necessary for build, into `dependencies`

* test: fix one more test

remove 500-embed.tpl

* fix: restore use of assets/nodebb.min.js, at least for now

* fix: remove unnecessary line break

* fix: point to proper ACP bundle

* test: maybe fix build test

* test: composer

* refactor: dont need dist

* refactor: more cleanup

use everything from build/public folder

* get rid of conditional import in app.js

* fix: ace

* refactor: cropper alias

* test: lint and test fixes

* lint: fix

* refactor: rename function to app.require

* refactor: go back to using app.require

* chore: use github branch

* chore: use webpack branch

* feat: webpack webinstaller

* feat: add chunkFile name with contenthash

* refactor: move hooks to top

* refactor: get rid of template500Function

* fix(deps): use webpack5 branch of 2factor plugin

* chore: tagging v2.0.0-beta.0 pre-release version 💥 :shipit: 🎉 🚀

* refactor: disable cache on templates

loadTemplate is called once by benchpress and the result is cache internally

* refactor: add server side helpers.js

* feat: deprecate /plugins shorthand route, closes #10343

* refactor: use build/public for webpack

* test: fix filename

* fix: more specific selector

* lint: ignore

* refactor: fix comments

* test: add debug for random failing test

* refactor: cleanup

remove test page, remove dupe functions in utils.common

* lint: use relative path  for now

* chore: bump prerelease version

* feat: add translateKeys

* fix: optional params

* fix: get rid of extra timeago files

* refactor: cleanup, require timeago locale earlier

remove translator.prepareDOM, it is in header.tpl html tag

* refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels (#10378)

* refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels

- Existing hooks are preserved (to be deprecated at a later date, possibly)
- New init hooks are called on NodeBB start, and provide a one-stop shop to add new privileges, instead of having to add to four different hooks

* docs: fix typo in comment

* test: spec changes

* refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels (#10378)

* refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels

- Existing hooks are preserved (to be deprecated at a later date, possibly)
- New init hooks are called on NodeBB start, and provide a one-stop shop to add new privileges, instead of having to add to four different hooks

* docs: fix typo in comment

* test: spec changes

* feat: allow app.require('bootbox'/'benchpressjs')

* refactor: require server side utils

* test: jquery ready

* change istaller to use build/public

* test: use document.addEventListener

* refactor: closes #10301

* refactor: generateTopicClass

* fix: column counts for other privileges

* fix: #10443, regression where sorted-list items did not render into the DOM in the predicted order [breaking]

* fix: typo in hook name

* refactor: introduce a generic autocomplete.init() method that can be called to add nodebb-style autocompletion but using different data sources (e.g. not user/groups/tags)

* fix: crash if `delay` not passed in (as it cannot be destructured)

* refactor: replace substr

* feat: set --panel-offset style in html element based on stored value in localStorage

* refactor: addDropupHandler() logic to be less naive

- Take into account height of the menu
- Don't apply dropUp logic if there's nothing in the dropdown
- Remove 'hidden' class (added by default in Persona for post tools) when menu items are added

closes #10423

* refactor: simplify utils.params [breaking]

Retrospective analysis of the usage of this method suggests that the options passed in are superfluous, and that only `url` is required. Using a browser built-in makes more sense to accomplish what this method sets out to do.

* feat: add support for returning full URLSearchParams for utils.params

* fix: utils.params() fallback handling

* fix: default empty obj for params()

* fix: remove \'loggedin\' and \'register\' qs parameters once they have been used, delay invocation of messages until ajaxify.end

* fix: utils.params() not allowing relative paths to be passed in

* refactor(DRY): new assertPasswordValidity utils method

* fix: incorrect error message returned on insufficient privilege on flag edit

* fix: read/update/delete access to flags API should be limited for moderators to only post flags in categories they moderate

- added failing tests and patched up middleware.assert.flags to fix

* refactor: flag api v3 tests to create new post and flags on every round

* fix: missing error:no-flag language key

* refactor: flags.canView to check flag existence, simplify middleware.assert.flag

* feat: flag deletion API endpoint, #10426

* feat: UI for flag deletion, closes #10426

* chore: update plugin versions

* chore: up emoji

* chore: update markdown

* chore: up emoji-android

* fix: regression caused by utils.params() refactor, supports arrays and pipes all values through utils.toType, adjusts tests to type check

Co-authored-by: Julian Lam <julian@nodebb.org>
2022-04-29 21:39:33 -04:00

142 lines
4.0 KiB
JavaScript
Raw Blame History

'use strict';
/**
* The middlewares here strictly act to "assert" validity of the incoming
* payload and throw an error otherwise.
*/
const path = require('path');
const nconf = require('nconf');
const file = require('../file');
const user = require('../user');
const groups = require('../groups');
const topics = require('../topics');
const posts = require('../posts');
const messaging = require('../messaging');
const flags = require('../flags');
const slugify = require('../slugify');
const helpers = require('./helpers');
const controllerHelpers = require('../controllers/helpers');
const Assert = module.exports;
Assert.user = helpers.try(async (req, res, next) => {
if (!await user.exists(req.params.uid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-user]]'));
}
next();
});
Assert.group = helpers.try(async (req, res, next) => {
const name = await groups.getGroupNameByGroupSlug(req.params.slug);
if (!name || !await groups.exists(name)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-group]]'));
}
next();
});
Assert.topic = helpers.try(async (req, res, next) => {
if (!await topics.exists(req.params.tid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
}
next();
});
Assert.post = helpers.try(async (req, res, next) => {
if (!await posts.exists(req.params.pid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-post]]'));
}
next();
});
Assert.flag = helpers.try(async (req, res, next) => {
const canView = await flags.canView(req.params.flagId, req.uid);
if (!canView) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-flag]]'));
}
next();
});
Assert.path = helpers.try(async (req, res, next) => {
// file: URL support
if (req.body.path.startsWith('file:///')) {
req.body.path = new URL(req.body.path).pathname;
}
// Strip upload_url if found
if (req.body.path.startsWith(nconf.get('upload_url'))) {
req.body.path = req.body.path.slice(nconf.get('upload_url').length);
}
const pathToFile = path.join(nconf.get('upload_path'), req.body.path);
res.locals.cleanedPath = pathToFile;
// Guard against path traversal
if (!pathToFile.startsWith(nconf.get('upload_path'))) {
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
}
if (!await file.exists(pathToFile)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]'));
}
next();
});
Assert.folderName = helpers.try(async (req, res, next) => {
const folderName = slugify(path.basename(req.body.folderName.trim()));
const folderPath = path.join(res.locals.cleanedPath, folderName);
// slugify removes invalid characters, folderName may become empty
if (!folderName) {
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
}
if (await file.exists(folderPath)) {
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:folder-exists]]'));
}
res.locals.folderPath = folderPath;
next();
});
Assert.room = helpers.try(async (req, res, next) => {
if (!isFinite(req.params.roomId)) {
return controllerHelpers.formatApiResponse(400, res, new Error('[[error:invalid-data]]'));
}
const [exists, inRoom] = await Promise.all([
await messaging.roomExists(req.params.roomId),
await messaging.isUserInRoom(req.uid, req.params.roomId),
]);
if (!exists) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:chat-room-does-not-exist]]'));
}
if (!inRoom) {
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]'));
}
next();
});
Assert.message = helpers.try(async (req, res, next) => {
if (
!isFinite(req.params.mid) ||
!(await messaging.messageExists(req.params.mid)) ||
!(await messaging.canViewMessage(req.params.mid, req.params.roomId, req.uid))
) {
return controllerHelpers.formatApiResponse(400, res, new Error('[[error:invalid-mid]]'));
}
next();
});
Reference in New Issue View Git Blame Copy Permalink