From a1b49a98e7cc08b1033a01e9bdc8f11d0eb16590 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Fri, 2 Dec 2016 09:49:52 -0500
Subject: [PATCH] locking down session deletion route to admins and global mods
 only

---
 src/middleware/index.js | 14 ++++++++++++++
 src/routes/accounts.js  |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/middleware/index.js b/src/middleware/index.js
index 7f55388804..ae2622beea 100644
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -49,6 +49,20 @@ middleware.authenticate = function (req, res, next) {
 	controllers.helpers.notAllowed(req, res);
 };
 
+middleware.ensureGlobalPrivilege = function (req, res, next) {
+	if (req.user) {
+		user.isAdminOrGlobalMod(req.uid, function (err, ok) {
+			if (ok) {
+				return next();
+			} else {
+				controllers.helpers.notAllowed(req, res);
+			}
+		});
+	} else {
+		controllers.helpers.notAllowed(req, res);
+	}
+};
+
 middleware.pageView = function (req, res, next) {
 	analytics.pageView({
 		ip: req.ip,
diff --git a/src/routes/accounts.js b/src/routes/accounts.js
index 14382bd568..118a613112 100644
--- a/src/routes/accounts.js
+++ b/src/routes/accounts.js
@@ -28,7 +28,7 @@ module.exports = function (app, middleware, controllers) {
 	setupPageRoute(app, '/user/:userslug/info', middleware, accountMiddlewares, controllers.accounts.info.get);
 	setupPageRoute(app, '/user/:userslug/settings', middleware, accountMiddlewares, controllers.accounts.settings.get);
 
-	app.delete('/api/user/:userslug/session/:uuid', [middleware.requireUser], controllers.accounts.session.revoke);
+	app.delete('/api/user/:userslug/session/:uuid', [middleware.ensureGlobalPrivilege], controllers.accounts.session.revoke);
 
 	setupPageRoute(app, '/notifications', middleware, [middleware.authenticate], controllers.accounts.notifications.get);
 	setupPageRoute(app, '/user/:userslug/chats/:roomid?', middleware, middlewares, controllers.accounts.chats.get);