[security] #286 prevent banned users from submitting content
This commit is contained in:
Avris
parent
bd30d203c7
commit
e4c993ad9e
|
|
@ -67,6 +67,10 @@ app.use(async function (req, res, next) {
|
|||
req.user = req.rawUser && req.rawUser.authenticated ? req.rawUser : null;
|
||||
req.isGranted = (area = '', locale = global.config.locale) => req.user && isGranted(req.user, locale, area);
|
||||
req.db = new LazyDatabase();
|
||||
req.isUserAllowedToPost = async () => {
|
||||
const user = await req.db.get(SQL`SELECT bannedReason FROM users WHERE id = ${req.user.id}`);
|
||||
return user && !user.bannedReason;
|
||||
}
|
||||
res.on('finish', async () => {
|
||||
await req.db.close();
|
||||
});
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@ router.get('/census/count', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.get('/census/export', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('census')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
const report = [];
|
||||
|
|
|
|||
|
|
@ -49,8 +49,8 @@ router.get('/inclusive/search/:term', handleErrorAsync(async (req, res) => {
|
|||
}));
|
||||
|
||||
router.post('/inclusive/submit', handleErrorAsync(async (req, res) => {
|
||||
if (!req.user) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
if (!req.user || !await req.isUserAllowedToPost()) {
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
if (!(req.user && req.user.admin) && isTroll(JSON.stringify(req.body))) {
|
||||
|
|
@ -77,7 +77,7 @@ router.post('/inclusive/submit', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/inclusive/hide/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('inclusive')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await req.db.get(SQL`
|
||||
|
|
@ -93,7 +93,7 @@ router.post('/inclusive/hide/:id', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/inclusive/approve/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('inclusive')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await approve(req.db, req.params.id);
|
||||
|
|
@ -103,7 +103,7 @@ router.post('/inclusive/approve/:id', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/inclusive/remove/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('inclusive')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await req.db.get(SQL`
|
||||
|
|
|
|||
|
|
@ -37,8 +37,8 @@ router.get('/names', handleErrorAsync(async (req, res) => {
|
|||
}));
|
||||
|
||||
router.post('/names/submit', handleErrorAsync(async (req, res) => {
|
||||
if (!req.user) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
if (!req.user || !await req.isUserAllowedToPost()) {
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
if (!(req.user && req.user.admin) && isTroll(JSON.stringify(req.body))) {
|
||||
|
|
@ -68,7 +68,7 @@ router.post('/names/submit', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/names/hide/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('names')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await req.db.get(SQL`
|
||||
|
|
@ -84,7 +84,7 @@ router.post('/names/hide/:id', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/names/approve/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('names')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await approve(req.db, req.params.id);
|
||||
|
|
@ -94,7 +94,7 @@ router.post('/names/approve/:id', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/names/remove/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('names')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await req.db.get(SQL`
|
||||
|
|
|
|||
|
|
@ -97,8 +97,8 @@ router.get('/nouns/search/:term', handleErrorAsync(async (req, res) => {
|
|||
}));
|
||||
|
||||
router.post('/nouns/submit', handleErrorAsync(async (req, res) => {
|
||||
if (!req.user) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
if (!req.user || !await req.isUserAllowedToPost()) {
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
if (!(req.user && req.user.admin) && isTroll(JSON.stringify(req.body))) {
|
||||
|
|
@ -126,7 +126,7 @@ router.post('/nouns/submit', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/nouns/hide/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('nouns')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await req.db.get(SQL`
|
||||
|
|
@ -142,7 +142,7 @@ router.post('/nouns/hide/:id', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/nouns/approve/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('nouns')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await approve(req.db, req.params.id);
|
||||
|
|
@ -152,7 +152,7 @@ router.post('/nouns/approve/:id', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/nouns/remove/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('nouns')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await req.db.get(SQL`
|
||||
|
|
|
|||
|
|
@ -83,8 +83,8 @@ router.get('/sources/:id', handleErrorAsync(async (req, res) => {
|
|||
}));
|
||||
|
||||
router.post('/sources/submit', handleErrorAsync(async (req, res) => {
|
||||
if (!req.user) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
if (!req.user || !await req.isUserAllowedToPost()) {
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
const id = ulid();
|
||||
|
|
@ -108,7 +108,7 @@ router.post('/sources/submit', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/sources/hide/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('sources')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await req.db.get(SQL`
|
||||
|
|
@ -122,7 +122,7 @@ router.post('/sources/hide/:id', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/sources/approve/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('sources')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await approve(req.db, req.params.id);
|
||||
|
|
@ -132,7 +132,7 @@ router.post('/sources/approve/:id', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/sources/remove/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('sources')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await req.db.get(SQL`
|
||||
|
|
|
|||
|
|
@ -82,8 +82,8 @@ router.get('/terms/search/:term', handleErrorAsync(async (req, res) => {
|
|||
}));
|
||||
|
||||
router.post('/terms/submit', handleErrorAsync(async (req, res) => {
|
||||
if (!req.user) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
if (!req.user || !await req.isUserAllowedToPost()) {
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
if (!(req.user && req.user.admin) && isTroll(JSON.stringify(req.body))) {
|
||||
|
|
@ -110,7 +110,7 @@ router.post('/terms/submit', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/terms/hide/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('terms')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await req.db.get(SQL`
|
||||
|
|
@ -126,7 +126,7 @@ router.post('/terms/hide/:id', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/terms/approve/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('terms')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await approve(req.db, req.params.id);
|
||||
|
|
@ -136,7 +136,7 @@ router.post('/terms/approve/:id', handleErrorAsync(async (req, res) => {
|
|||
|
||||
router.post('/terms/remove/:id', handleErrorAsync(async (req, res) => {
|
||||
if (!req.isGranted('terms')) {
|
||||
res.status(401).json({error: 'Unauthorised'});
|
||||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
await req.db.get(SQL`
|
||||
|
|
|
|||
|
|
@ -504,7 +504,7 @@ router.get('/admin/impersonate/:email', handleErrorAsync(async (req, res) => {
|
|||
return res.status(401).json({error: 'Unauthorised'});
|
||||
}
|
||||
|
||||
res.json({token: await issueAuthentication(req.db, {email: req.params.email})});
|
||||
return res.json({token: await issueAuthentication(req.db, {email: req.params.email})});
|
||||
}));
|
||||
|
||||
export default router;
|
||||
|
|
|
|||
Reference in New Issue