cc/CoastalCommitsPastes
cc/CoastalCommitsPastes
3
1
Fork 0
forked from CoastalCommitsArchival/github.com-MaxLeiter-drift
Code Pull requests Activity Actions

server: fix private posts being accessible for authed accounts

Browse source
This commit is contained in:
Max Leiter 2022-04-05 16:22:42 -07:00
parent e5b9b65b55
commit 808314658d
WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS.
GPG key ID: A3512F2F2F17EBDA
1 changed files with 16 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
server/src/routes/posts.ts
View file

@ -240,6 +240,10 @@ posts.get(
}
}),
async (req: UserJwtRequest, res, next) => {
const isUserAuthor = (post: Post) => {
return req.user?.id && post.users?.map((user) => user.id).includes(req.user?.id)
}
try {
const post = await Post.findByPk(req.params.id, {
include: [
@ -293,20 +297,30 @@ posts.get(
})
} else if (post.visibility === "private") {
jwt(req as UserJwtRequest, res, () => {
res.json(post)
if (isUserAuthor(post)) {
res.json(post)
} else {
res.status(403).send()
}
})
} else if (post.visibility === "protected") {
const { password } = req.query
if (!password || typeof password !== "string") {
return jwt(req as UserJwtRequest, res, () => {
res.json(post)
if (isUserAuthor(post)) {
res.json(post)
} else {
res.status(403).send()
}
})
}
const hash = crypto
.createHash("sha256")
.update(password)
.digest("hex")
.toString()
if (hash !== post.password) {
return res.status(400).json({ error: "Incorrect password." })
}