add referer check to /api/admin/users/csv

src/controllers/admin/users.js

@@ -2,6 +2,7 @@
 
 var async = require('async');
 var validator = require('validator');
+var nconf = require('nconf');
 
 var user = require('../../user');
 var meta = require('../../meta');
@@ -183,6 +184,11 @@ function render(req, res, data) {
 }
 
 usersController.getCSV = function (req, res, next) {
+	var referer = req.headers.referer;
+
+	if (!referer || !referer.replace(nconf.get('url'), '').startsWith('/admin/manage/users')) {
+		return res.status(403).send('[[error:invalid-origin]]');
+	}
 	events.log({
 		type: 'getUsersCSV',
 		uid: req.user.uid,

test/controllers-admin.js

@@ -255,9 +255,38 @@ describe('Admin Controllers', function () {
 		});
 	});
 
-	it('should load /admin/users/csv', function (done) {
+	it('should return 403 if no referer', function (done) {
 		request(nconf.get('url') + '/api/admin/users/csv', { jar: jar }, function (err, res, body) {
 			assert.ifError(err);
+			assert.equal(res.statusCode, 403);
+			assert.equal(body, '[[error:invalid-origin]]');
+			done();
+		});
+	});
+
+	it('should return 403 if referer is not /admin/users/csv', function (done) {
+		request(nconf.get('url') + '/api/admin/users/csv', {
+			jar: jar,
+			headers: {
+				referer: '/topic/1/test',
+			},
+		}, function (err, res, body) {
+			assert.ifError(err);
+			assert.equal(res.statusCode, 403);
+			assert.equal(body, '[[error:invalid-origin]]');
+			done();
+		});
+	});
+
+	it('should load /admin/users/csv', function (done) {
+		request(nconf.get('url') + '/api/admin/users/csv', {
+			jar: jar,
+			headers: {
+				referer: nconf.get('url') + '/admin/manage/users',
+			},
+		}, function (err, res, body) {
+			assert.ifError(err);
+			assert.equal(res.statusCode, 200);
 			assert(body);
 			done();
 		});