server: fix private posts being accessible for authed accounts

This commit is contained in:
Max Leiter 2022-04-05 16:22:42 -07:00
parent e5b9b65b55
commit 808314658d
WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS.
GPG key ID: A3512F2F2F17EBDA

View file

@ -240,6 +240,10 @@ posts.get(
} }
}), }),
async (req: UserJwtRequest, res, next) => { async (req: UserJwtRequest, res, next) => {
const isUserAuthor = (post: Post) => {
return req.user?.id && post.users?.map((user) => user.id).includes(req.user?.id)
}
try { try {
const post = await Post.findByPk(req.params.id, { const post = await Post.findByPk(req.params.id, {
include: [ include: [
@ -293,20 +297,30 @@ posts.get(
}) })
} else if (post.visibility === "private") { } else if (post.visibility === "private") {
jwt(req as UserJwtRequest, res, () => { jwt(req as UserJwtRequest, res, () => {
if (isUserAuthor(post)) {
res.json(post) res.json(post)
} else {
res.status(403).send()
}
}) })
} else if (post.visibility === "protected") { } else if (post.visibility === "protected") {
const { password } = req.query const { password } = req.query
if (!password || typeof password !== "string") { if (!password || typeof password !== "string") {
return jwt(req as UserJwtRequest, res, () => { return jwt(req as UserJwtRequest, res, () => {
if (isUserAuthor(post)) {
res.json(post) res.json(post)
} else {
res.status(403).send()
}
}) })
} }
const hash = crypto const hash = crypto
.createHash("sha256") .createHash("sha256")
.update(password) .update(password)
.digest("hex") .digest("hex")
.toString() .toString()
if (hash !== post.password) { if (hash !== post.password) {
return res.status(400).json({ error: "Incorrect password." }) return res.status(400).json({ error: "Incorrect password." })
} }