Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-06-14 23:41:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

locking down session deletion route to admins and global mods only

Browse Source
This commit is contained in:
Julian Lam
2016-12-02 09:49:52 -05:00
parent 69b766bbc8
commit a1b49a98e7
2 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/middleware/index.js
View File

@@ -49,6 +49,20 @@ middleware.authenticate = function (req, res, next) {
controllers.helpers.notAllowed(req, res);
};
middleware.ensureGlobalPrivilege = function (req, res, next) {
if (req.user) {
user.isAdminOrGlobalMod(req.uid, function (err, ok) {
if (ok) {
return next();
} else {
controllers.helpers.notAllowed(req, res);
}
});
} else {
controllers.helpers.notAllowed(req, res);
}
};
middleware.pageView = function (req, res, next) {
analytics.pageView({
ip: req.ip,

2
src/routes/accounts.js
View File

@@ -28,7 +28,7 @@ module.exports = function (app, middleware, controllers) {
setupPageRoute(app, '/user/:userslug/info', middleware, accountMiddlewares, controllers.accounts.info.get);
setupPageRoute(app, '/user/:userslug/settings', middleware, accountMiddlewares, controllers.accounts.settings.get);
app.delete('/api/user/:userslug/session/:uuid', [middleware.requireUser], controllers.accounts.session.revoke);
app.delete('/api/user/:userslug/session/:uuid', [middleware.ensureGlobalPrivilege], controllers.accounts.session.revoke);
setupPageRoute(app, '/notifications', middleware, [middleware.authenticate], controllers.accounts.notifications.get);
setupPageRoute(app, '/user/:userslug/chats/:roomid?', middleware, middlewares, controllers.accounts.chats.get);