2020-10-01 14:11:59 -04:00
|
|
|
'use strict';
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The middlewares here strictly act to "assert" validity of the incoming
|
|
|
|
|
* payload and throw an error otherwise.
|
|
|
|
|
*/
|
|
|
|
|
|
2020-10-08 12:00:06 -04:00
|
|
|
const path = require('path');
|
|
|
|
|
const nconf = require('nconf');
|
|
|
|
|
|
2020-12-03 07:41:14 -05:00
|
|
|
const file = require('../file');
|
2020-10-01 19:37:13 -04:00
|
|
|
const user = require('../user');
|
2020-10-01 14:11:59 -04:00
|
|
|
const groups = require('../groups');
|
2023-10-23 12:11:34 -04:00
|
|
|
const categories = require('../categories');
|
2020-10-01 14:26:34 -04:00
|
|
|
const topics = require('../topics');
|
2020-10-06 14:12:02 -04:00
|
|
|
const posts = require('../posts');
|
2021-12-10 17:16:54 -05:00
|
|
|
const messaging = require('../messaging');
|
Webpack5 (#10311)
* feat: webpack 5 part 1
* fix: gruntfile fixes
* fix: fix taskbar warning
add app.importScript
copy public/src/modules to build folder
* refactor: remove commented old code
* feat: reenable admin
* fix: acp settings pages, fix sortable on manage categories
embedded require in html not allowed
* fix: bundle serialize/deserizeli so plugins dont break
* test: fixe util tests
* test: fix require path
* test: more test fixes
* test: require correct utils module
* test: require correct utils
* test: log stack
* test: fix db require blowing up tests
* test: move and disable bundle test
* refactor: add aliases
* test: disable testing route
* fix: move webpack modules necessary for build, into `dependencies`
* test: fix one more test
remove 500-embed.tpl
* fix: restore use of assets/nodebb.min.js, at least for now
* fix: remove unnecessary line break
* fix: point to proper ACP bundle
* test: maybe fix build test
* test: composer
* refactor: dont need dist
* refactor: more cleanup
use everything from build/public folder
* get rid of conditional import in app.js
* fix: ace
* refactor: cropper alias
* test: lint and test fixes
* lint: fix
* refactor: rename function to app.require
* refactor: go back to using app.require
* chore: use github branch
* chore: use webpack branch
* feat: webpack webinstaller
* feat: add chunkFile name with contenthash
* refactor: move hooks to top
* refactor: get rid of template500Function
* fix(deps): use webpack5 branch of 2factor plugin
* chore: tagging v2.0.0-beta.0 pre-release version :boom: :shipit: :tada: :rocket:
* refactor: disable cache on templates
loadTemplate is called once by benchpress and the result is cache internally
* refactor: add server side helpers.js
* feat: deprecate /plugins shorthand route, closes #10343
* refactor: use build/public for webpack
* test: fix filename
* fix: more specific selector
* lint: ignore
* refactor: fix comments
* test: add debug for random failing test
* refactor: cleanup
remove test page, remove dupe functions in utils.common
* lint: use relative path for now
* chore: bump prerelease version
* feat: add translateKeys
* fix: optional params
* fix: get rid of extra timeago files
* refactor: cleanup, require timeago locale earlier
remove translator.prepareDOM, it is in header.tpl html tag
* refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels (#10378)
* refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels
- Existing hooks are preserved (to be deprecated at a later date, possibly)
- New init hooks are called on NodeBB start, and provide a one-stop shop to add new privileges, instead of having to add to four different hooks
* docs: fix typo in comment
* test: spec changes
* refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels (#10378)
* refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels
- Existing hooks are preserved (to be deprecated at a later date, possibly)
- New init hooks are called on NodeBB start, and provide a one-stop shop to add new privileges, instead of having to add to four different hooks
* docs: fix typo in comment
* test: spec changes
* feat: allow app.require('bootbox'/'benchpressjs')
* refactor: require server side utils
* test: jquery ready
* change istaller to use build/public
* test: use document.addEventListener
* refactor: closes #10301
* refactor: generateTopicClass
* fix: column counts for other privileges
* fix: #10443, regression where sorted-list items did not render into the DOM in the predicted order [breaking]
* fix: typo in hook name
* refactor: introduce a generic autocomplete.init() method that can be called to add nodebb-style autocompletion but using different data sources (e.g. not user/groups/tags)
* fix: crash if `delay` not passed in (as it cannot be destructured)
* refactor: replace substr
* feat: set --panel-offset style in html element based on stored value in localStorage
* refactor: addDropupHandler() logic to be less naive
- Take into account height of the menu
- Don't apply dropUp logic if there's nothing in the dropdown
- Remove 'hidden' class (added by default in Persona for post tools) when menu items are added
closes #10423
* refactor: simplify utils.params [breaking]
Retrospective analysis of the usage of this method suggests that the options passed in are superfluous, and that only `url` is required. Using a browser built-in makes more sense to accomplish what this method sets out to do.
* feat: add support for returning full URLSearchParams for utils.params
* fix: utils.params() fallback handling
* fix: default empty obj for params()
* fix: remove \'loggedin\' and \'register\' qs parameters once they have been used, delay invocation of messages until ajaxify.end
* fix: utils.params() not allowing relative paths to be passed in
* refactor(DRY): new assertPasswordValidity utils method
* fix: incorrect error message returned on insufficient privilege on flag edit
* fix: read/update/delete access to flags API should be limited for moderators to only post flags in categories they moderate
- added failing tests and patched up middleware.assert.flags to fix
* refactor: flag api v3 tests to create new post and flags on every round
* fix: missing error:no-flag language key
* refactor: flags.canView to check flag existence, simplify middleware.assert.flag
* feat: flag deletion API endpoint, #10426
* feat: UI for flag deletion, closes #10426
* chore: update plugin versions
* chore: up emoji
* chore: update markdown
* chore: up emoji-android
* fix: regression caused by utils.params() refactor, supports arrays and pipes all values through utils.toType, adjusts tests to type check
Co-authored-by: Julian Lam <julian@nodebb.org>
2022-04-29 21:39:33 -04:00
|
|
|
const flags = require('../flags');
|
2021-08-31 16:27:00 +03:00
|
|
|
const slugify = require('../slugify');
|
2023-06-02 14:22:43 -04:00
|
|
|
const activitypub = require('../activitypub');
|
2020-10-01 14:26:34 -04:00
|
|
|
|
2020-10-08 12:00:06 -04:00
|
|
|
const helpers = require('./helpers');
|
|
|
|
|
const controllerHelpers = require('../controllers/helpers');
|
2020-10-01 14:11:59 -04:00
|
|
|
|
2020-10-08 13:56:50 -04:00
|
|
|
const Assert = module.exports;
|
|
|
|
|
|
|
|
|
|
Assert.user = helpers.try(async (req, res, next) => {
|
2023-06-02 14:22:43 -04:00
|
|
|
if (
|
|
|
|
|
(isFinite(req.params.uid) && await user.exists(req.params.uid)) ||
|
|
|
|
|
(req.params.uid.indexOf('@') !== -1 && await activitypub.helpers.query(req.params.uid))
|
|
|
|
|
) {
|
|
|
|
|
return next();
|
2020-10-08 13:56:50 -04:00
|
|
|
}
|
|
|
|
|
|
2023-06-02 14:22:43 -04:00
|
|
|
controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-user]]'));
|
2020-10-08 13:56:50 -04:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
Assert.group = helpers.try(async (req, res, next) => {
|
|
|
|
|
const name = await groups.getGroupNameByGroupSlug(req.params.slug);
|
|
|
|
|
if (!name || !await groups.exists(name)) {
|
|
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-group]]'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
next();
|
|
|
|
|
});
|
|
|
|
|
|
2023-10-23 12:11:34 -04:00
|
|
|
Assert.category = helpers.try(async (req, res, next) => {
|
|
|
|
|
if (!await categories.exists(req.params.cid)) {
|
|
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-category]]'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
next();
|
|
|
|
|
});
|
|
|
|
|
|
2020-10-08 13:56:50 -04:00
|
|
|
Assert.topic = helpers.try(async (req, res, next) => {
|
|
|
|
|
if (!await topics.exists(req.params.tid)) {
|
|
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
next();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
Assert.post = helpers.try(async (req, res, next) => {
|
|
|
|
|
if (!await posts.exists(req.params.pid)) {
|
2021-01-18 15:31:14 -05:00
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-post]]'));
|
2020-10-08 13:56:50 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
next();
|
|
|
|
|
});
|
|
|
|
|
|
2021-07-16 13:44:42 -04:00
|
|
|
Assert.flag = helpers.try(async (req, res, next) => {
|
Webpack5 (#10311)
* feat: webpack 5 part 1
* fix: gruntfile fixes
* fix: fix taskbar warning
add app.importScript
copy public/src/modules to build folder
* refactor: remove commented old code
* feat: reenable admin
* fix: acp settings pages, fix sortable on manage categories
embedded require in html not allowed
* fix: bundle serialize/deserizeli so plugins dont break
* test: fixe util tests
* test: fix require path
* test: more test fixes
* test: require correct utils module
* test: require correct utils
* test: log stack
* test: fix db require blowing up tests
* test: move and disable bundle test
* refactor: add aliases
* test: disable testing route
* fix: move webpack modules necessary for build, into `dependencies`
* test: fix one more test
remove 500-embed.tpl
* fix: restore use of assets/nodebb.min.js, at least for now
* fix: remove unnecessary line break
* fix: point to proper ACP bundle
* test: maybe fix build test
* test: composer
* refactor: dont need dist
* refactor: more cleanup
use everything from build/public folder
* get rid of conditional import in app.js
* fix: ace
* refactor: cropper alias
* test: lint and test fixes
* lint: fix
* refactor: rename function to app.require
* refactor: go back to using app.require
* chore: use github branch
* chore: use webpack branch
* feat: webpack webinstaller
* feat: add chunkFile name with contenthash
* refactor: move hooks to top
* refactor: get rid of template500Function
* fix(deps): use webpack5 branch of 2factor plugin
* chore: tagging v2.0.0-beta.0 pre-release version :boom: :shipit: :tada: :rocket:
* refactor: disable cache on templates
loadTemplate is called once by benchpress and the result is cache internally
* refactor: add server side helpers.js
* feat: deprecate /plugins shorthand route, closes #10343
* refactor: use build/public for webpack
* test: fix filename
* fix: more specific selector
* lint: ignore
* refactor: fix comments
* test: add debug for random failing test
* refactor: cleanup
remove test page, remove dupe functions in utils.common
* lint: use relative path for now
* chore: bump prerelease version
* feat: add translateKeys
* fix: optional params
* fix: get rid of extra timeago files
* refactor: cleanup, require timeago locale earlier
remove translator.prepareDOM, it is in header.tpl html tag
* refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels (#10378)
* refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels
- Existing hooks are preserved (to be deprecated at a later date, possibly)
- New init hooks are called on NodeBB start, and provide a one-stop shop to add new privileges, instead of having to add to four different hooks
* docs: fix typo in comment
* test: spec changes
* refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels (#10378)
* refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels
- Existing hooks are preserved (to be deprecated at a later date, possibly)
- New init hooks are called on NodeBB start, and provide a one-stop shop to add new privileges, instead of having to add to four different hooks
* docs: fix typo in comment
* test: spec changes
* feat: allow app.require('bootbox'/'benchpressjs')
* refactor: require server side utils
* test: jquery ready
* change istaller to use build/public
* test: use document.addEventListener
* refactor: closes #10301
* refactor: generateTopicClass
* fix: column counts for other privileges
* fix: #10443, regression where sorted-list items did not render into the DOM in the predicted order [breaking]
* fix: typo in hook name
* refactor: introduce a generic autocomplete.init() method that can be called to add nodebb-style autocompletion but using different data sources (e.g. not user/groups/tags)
* fix: crash if `delay` not passed in (as it cannot be destructured)
* refactor: replace substr
* feat: set --panel-offset style in html element based on stored value in localStorage
* refactor: addDropupHandler() logic to be less naive
- Take into account height of the menu
- Don't apply dropUp logic if there's nothing in the dropdown
- Remove 'hidden' class (added by default in Persona for post tools) when menu items are added
closes #10423
* refactor: simplify utils.params [breaking]
Retrospective analysis of the usage of this method suggests that the options passed in are superfluous, and that only `url` is required. Using a browser built-in makes more sense to accomplish what this method sets out to do.
* feat: add support for returning full URLSearchParams for utils.params
* fix: utils.params() fallback handling
* fix: default empty obj for params()
* fix: remove \'loggedin\' and \'register\' qs parameters once they have been used, delay invocation of messages until ajaxify.end
* fix: utils.params() not allowing relative paths to be passed in
* refactor(DRY): new assertPasswordValidity utils method
* fix: incorrect error message returned on insufficient privilege on flag edit
* fix: read/update/delete access to flags API should be limited for moderators to only post flags in categories they moderate
- added failing tests and patched up middleware.assert.flags to fix
* refactor: flag api v3 tests to create new post and flags on every round
* fix: missing error:no-flag language key
* refactor: flags.canView to check flag existence, simplify middleware.assert.flag
* feat: flag deletion API endpoint, #10426
* feat: UI for flag deletion, closes #10426
* chore: update plugin versions
* chore: up emoji
* chore: update markdown
* chore: up emoji-android
* fix: regression caused by utils.params() refactor, supports arrays and pipes all values through utils.toType, adjusts tests to type check
Co-authored-by: Julian Lam <julian@nodebb.org>
2022-04-29 21:39:33 -04:00
|
|
|
const canView = await flags.canView(req.params.flagId, req.uid);
|
|
|
|
|
if (!canView) {
|
2021-07-16 13:44:42 -04:00
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-flag]]'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
next();
|
|
|
|
|
});
|
|
|
|
|
|
2020-10-08 13:56:50 -04:00
|
|
|
Assert.path = helpers.try(async (req, res, next) => {
|
|
|
|
|
// file: URL support
|
|
|
|
|
if (req.body.path.startsWith('file:///')) {
|
|
|
|
|
req.body.path = new URL(req.body.path).pathname;
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-03 15:04:23 -05:00
|
|
|
// Strip upload_url if found
|
|
|
|
|
if (req.body.path.startsWith(nconf.get('upload_url'))) {
|
|
|
|
|
req.body.path = req.body.path.slice(nconf.get('upload_url').length);
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-08 13:56:50 -04:00
|
|
|
const pathToFile = path.join(nconf.get('upload_path'), req.body.path);
|
|
|
|
|
res.locals.cleanedPath = pathToFile;
|
|
|
|
|
|
2020-12-03 07:41:14 -05:00
|
|
|
// Guard against path traversal
|
2020-10-08 13:56:50 -04:00
|
|
|
if (!pathToFile.startsWith(nconf.get('upload_path'))) {
|
|
|
|
|
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-03 07:41:14 -05:00
|
|
|
if (!await file.exists(pathToFile)) {
|
2020-10-08 13:56:50 -04:00
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
next();
|
|
|
|
|
});
|
2021-08-31 16:27:00 +03:00
|
|
|
|
|
|
|
|
Assert.folderName = helpers.try(async (req, res, next) => {
|
|
|
|
|
const folderName = slugify(path.basename(req.body.folderName.trim()));
|
|
|
|
|
const folderPath = path.join(res.locals.cleanedPath, folderName);
|
|
|
|
|
|
|
|
|
|
// slugify removes invalid characters, folderName may become empty
|
|
|
|
|
if (!folderName) {
|
|
|
|
|
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
|
|
|
|
|
}
|
|
|
|
|
if (await file.exists(folderPath)) {
|
|
|
|
|
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:folder-exists]]'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res.locals.folderPath = folderPath;
|
|
|
|
|
|
|
|
|
|
next();
|
|
|
|
|
});
|
2021-12-10 17:16:54 -05:00
|
|
|
|
|
|
|
|
Assert.room = helpers.try(async (req, res, next) => {
|
2021-12-16 10:46:58 -05:00
|
|
|
if (!isFinite(req.params.roomId)) {
|
|
|
|
|
return controllerHelpers.formatApiResponse(400, res, new Error('[[error:invalid-data]]'));
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-10 17:16:54 -05:00
|
|
|
const [exists, inRoom] = await Promise.all([
|
2023-07-12 13:03:54 -04:00
|
|
|
messaging.roomExists(req.params.roomId),
|
|
|
|
|
messaging.isUserInRoom(req.uid, req.params.roomId),
|
2021-12-10 17:16:54 -05:00
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
if (!exists) {
|
|
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:chat-room-does-not-exist]]'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!inRoom) {
|
|
|
|
|
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
next();
|
|
|
|
|
});
|
2021-12-20 14:32:45 -05:00
|
|
|
|
|
|
|
|
Assert.message = helpers.try(async (req, res, next) => {
|
2021-12-22 14:58:42 -05:00
|
|
|
if (
|
|
|
|
|
!isFinite(req.params.mid) ||
|
|
|
|
|
!(await messaging.messageExists(req.params.mid)) ||
|
|
|
|
|
!(await messaging.canViewMessage(req.params.mid, req.params.roomId, req.uid))
|
|
|
|
|
) {
|
2021-12-20 14:32:45 -05:00
|
|
|
return controllerHelpers.formatApiResponse(400, res, new Error('[[error:invalid-mid]]'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
next();
|
|
|
|
|
});
|
