mirror of
https://github.com/NodeBB/NodeBB.git
synced 2026-05-06 06:46:02 +02:00
fix: group create/join/update name validation
This commit is contained in:
Barış Soner Uşaklı
@@ -16,7 +16,7 @@ module.exports = function (Groups) {
|
||||
const disableLeave = parseInt(data.disableLeave, 10) === 1 ? 1 : 0;
|
||||
const isHidden = parseInt(data.hidden, 10) === 1;
|
||||
|
||||
validateGroupName(data.name);
|
||||
Groups.validateGroupName(data.name);
|
||||
|
||||
const exists = await meta.userOrGroupExists(data.name);
|
||||
if (exists) {
|
||||
@@ -72,11 +72,15 @@ module.exports = function (Groups) {
|
||||
Groups.isPrivilegeGroup(data.name);
|
||||
}
|
||||
|
||||
function validateGroupName(name) {
|
||||
Groups.validateGroupName = function (name) {
|
||||
if (!name) {
|
||||
throw new Error('[[error:group-name-too-short]]');
|
||||
}
|
||||
|
||||
if (typeof name !== 'string') {
|
||||
throw new Error('[[error:invalid-group-name]]');
|
||||
}
|
||||
|
||||
if (!Groups.isPrivilegeGroup(name) && name.length > meta.config.maximumGroupNameLength) {
|
||||
throw new Error('[[error:group-name-too-long]]');
|
||||
}
|
||||
@@ -88,5 +92,5 @@ module.exports = function (Groups) {
|
||||
if (name.includes('/') || !utils.slugify(name)) {
|
||||
throw new Error('[[error:invalid-group-name]]');
|
||||
}
|
||||
}
|
||||
};
|
||||
};
|
||||
|
||||
@@ -54,7 +54,10 @@ module.exports = function (Groups) {
|
||||
payload.disableLeave = values.disableLeave ? '1' : '0';
|
||||
}
|
||||
|
||||
await checkNameChange(groupName, values.name);
|
||||
if (values.hasOwnProperty('name')) {
|
||||
await checkNameChange(groupName, values.name);
|
||||
}
|
||||
|
||||
if (values.hasOwnProperty('private')) {
|
||||
await updatePrivacy(groupName, values.private);
|
||||
}
|
||||
@@ -125,6 +128,10 @@ module.exports = function (Groups) {
|
||||
}
|
||||
|
||||
async function checkNameChange(currentName, newName) {
|
||||
Groups.validateGroupName(newName);
|
||||
if (Groups.isPrivilegeGroup(newName)) {
|
||||
throw new Error('[[error:invalid-group-name]]');
|
||||
}
|
||||
const currentSlug = utils.slugify(currentName);
|
||||
const newSlug = utils.slugify(newName);
|
||||
if (currentName === newName || currentSlug === newSlug) {
|
||||
|
||||
@@ -22,6 +22,10 @@ SocketGroups.join = async (socket, data) => {
|
||||
throw new Error('[[error:invalid-uid]]');
|
||||
}
|
||||
|
||||
if (typeof data.groupName !== 'string') {
|
||||
throw new Error('[[error:invalid-group-name]]');
|
||||
}
|
||||
|
||||
if (data.groupName === 'administrators' || groups.isPrivilegeGroup(data.groupName)) {
|
||||
throw new Error('[[error:not-allowed]]');
|
||||
}
|
||||
@@ -66,6 +70,10 @@ SocketGroups.leave = async (socket, data) => {
|
||||
throw new Error('[[error:invalid-uid]]');
|
||||
}
|
||||
|
||||
if (typeof data.groupName !== 'string') {
|
||||
throw new Error('[[error:invalid-group-name]]');
|
||||
}
|
||||
|
||||
if (data.groupName === 'administrators') {
|
||||
throw new Error('[[error:cant-remove-self-as-admin]]');
|
||||
}
|
||||
@@ -104,6 +112,9 @@ SocketGroups.addMember = async (socket, data) => {
|
||||
};
|
||||
|
||||
async function isOwner(socket, data) {
|
||||
if (typeof data.groupName !== 'string') {
|
||||
throw new Error('[[error:invalid-group-name]]');
|
||||
}
|
||||
const results = await utils.promiseParallel({
|
||||
isAdmin: await user.isAdministrator(socket.uid),
|
||||
isGlobalModerator: await user.isGlobalModerator(socket.uid),
|
||||
@@ -118,6 +129,9 @@ async function isOwner(socket, data) {
|
||||
}
|
||||
|
||||
async function isInvited(socket, data) {
|
||||
if (typeof data.groupName !== 'string') {
|
||||
throw new Error('[[error:invalid-group-name]]');
|
||||
}
|
||||
const invited = await groups.isInvited(socket.uid, data.groupName);
|
||||
if (!invited) {
|
||||
throw new Error('[[error:not-invited]]');
|
||||
@@ -171,6 +185,9 @@ SocketGroups.rejectAll = async (socket, data) => {
|
||||
};
|
||||
|
||||
async function acceptRejectAll(method, socket, data) {
|
||||
if (typeof data.groupName !== 'string') {
|
||||
throw new Error('[[error:invalid-group-name]]');
|
||||
}
|
||||
const uids = await groups.getPending(data.groupName);
|
||||
await Promise.all(uids.map(async (uid) => {
|
||||
await method(socket, { groupName: data.groupName, toUid: uid });
|
||||
@@ -251,7 +268,7 @@ SocketGroups.kick = async (socket, data) => {
|
||||
SocketGroups.create = async (socket, data) => {
|
||||
if (!socket.uid) {
|
||||
throw new Error('[[error:no-privileges]]');
|
||||
} else if (groups.isPrivilegeGroup(data.name)) {
|
||||
} else if (typeof data.name !== 'string' || groups.isPrivilegeGroup(data.name)) {
|
||||
throw new Error('[[error:invalid-group-name]]');
|
||||
}
|
||||
|
||||
@@ -260,6 +277,7 @@ SocketGroups.create = async (socket, data) => {
|
||||
throw new Error('[[error:no-privileges]]');
|
||||
}
|
||||
data.ownerUid = socket.uid;
|
||||
data.system = false;
|
||||
const groupData = await groups.create(data);
|
||||
logGroupEvent(socket, 'group-create', {
|
||||
groupName: data.name,
|
||||
@@ -338,7 +356,6 @@ SocketGroups.cover.update = async (socket, data) => {
|
||||
if (!socket.uid) {
|
||||
throw new Error('[[error:no-privileges]]');
|
||||
}
|
||||
|
||||
await canModifyGroup(socket.uid, data.groupName);
|
||||
return await groups.updateCover(socket.uid, data);
|
||||
};
|
||||
@@ -353,6 +370,9 @@ SocketGroups.cover.remove = async (socket, data) => {
|
||||
};
|
||||
|
||||
async function canModifyGroup(uid, groupName) {
|
||||
if (typeof groupName !== 'string') {
|
||||
throw new Error('[[error:invalid-group-name]]');
|
||||
}
|
||||
const results = await utils.promiseParallel({
|
||||
isOwner: groups.ownership.isOwner(uid, groupName),
|
||||
isAdminOrGlobalMod: user.isAdminOrGlobalMod(uid),
|
||||
|
||||
Reference in New Issue
Block a user