Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-02-28 01:21:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: access checks for tags and thumbs get route

Browse Source
This commit is contained in:
Julian Lam
2021-01-12 17:38:35 -05:00
parent c0fb1cb59c
commit 77ab46686d
2 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/controllers/write/topics.js
View File

@@ -86,16 +86,28 @@ Topics.unfollow = async (req, res) => {
}; };
Topics.addTags = async (req, res) => { Topics.addTags = async (req, res) => {
if (!await privileges.topics.canEdit(req.params.tid, req.user.uid)) {
return helpers.formatApiResponse(403, res);
}
await topics.createTags(req.body.tags, req.params.tid, Date.now()); await topics.createTags(req.body.tags, req.params.tid, Date.now());
helpers.formatApiResponse(200, res); helpers.formatApiResponse(200, res);
}; };
Topics.deleteTags = async (req, res) => { Topics.deleteTags = async (req, res) => {
if (!await privileges.topics.canEdit(req.params.tid, req.user.uid)) {
return helpers.formatApiResponse(403, res);
}
await topics.deleteTopicTags(req.params.tid); await topics.deleteTopicTags(req.params.tid);
helpers.formatApiResponse(200, res); helpers.formatApiResponse(200, res);
}; };
Topics.getThumbs = async (req, res) => { Topics.getThumbs = async (req, res) => {
if (!await privileges.topics.can('topics:read', req.params.tid, req.uid)) {
return helpers.formatApiResponse(403, res);
}
helpers.formatApiResponse(200, res, await topics.thumbs.get(req.params.tid)); helpers.formatApiResponse(200, res, await topics.thumbs.get(req.params.tid));
}; };

2
src/routes/write/topics.js
View File

@@ -35,7 +35,7 @@ module.exports = function () {
setupApiRoute(router, 'put', '/:tid/tags', [...middlewares, middleware.checkRequired.bind(null, ['tags']), middleware.assert.topic], controllers.write.topics.addTags); setupApiRoute(router, 'put', '/:tid/tags', [...middlewares, middleware.checkRequired.bind(null, ['tags']), middleware.assert.topic], controllers.write.topics.addTags);
setupApiRoute(router, 'delete', '/:tid/tags', [...middlewares, middleware.assert.topic], controllers.write.topics.deleteTags); setupApiRoute(router, 'delete', '/:tid/tags', [...middlewares, middleware.assert.topic], controllers.write.topics.deleteTags);
setupApiRoute(router, 'get', '/:tid/thumbs', [], controllers.write.topics.getThumbs); setupApiRoute(router, 'get', '/:tid/thumbs', middleware.authenticateOrGuest, controllers.write.topics.getThumbs);
setupApiRoute(router, 'post', '/:tid/thumbs', [multipartMiddleware, middleware.validateFiles, ...middlewares], controllers.write.topics.addThumb); setupApiRoute(router, 'post', '/:tid/thumbs', [multipartMiddleware, middleware.validateFiles, ...middlewares], controllers.write.topics.addThumb);
setupApiRoute(router, 'put', '/:tid/thumbs', [], controllers.write.topics.migrateThumbs); setupApiRoute(router, 'put', '/:tid/thumbs', [], controllers.write.topics.migrateThumbs);
setupApiRoute(router, 'delete', '/:tid/thumbs', [...middlewares, middleware.checkRequired.bind(null, ['path'])], controllers.write.topics.deleteThumb); setupApiRoute(router, 'delete', '/:tid/thumbs', [...middlewares, middleware.checkRequired.bind(null, ['path'])], controllers.write.topics.deleteThumb);