From 63af4f0f152a546c43ba757225fc2c9e84ae9329 Mon Sep 17 00:00:00 2001 From: fatchan Date: Sat, 3 Aug 2019 02:48:40 +0000 Subject: [PATCH] fixed ban check for new perm levels and add login check (not just perm level) to authed forms --- controllers/forms.js | 30 +++++++++++++++++++++--------- helpers/checks/bancheck.js | 3 ++- 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/controllers/forms.js b/controllers/forms.js index d2195f60..d9307b17 100644 --- a/controllers/forms.js +++ b/controllers/forms.js @@ -2,6 +2,7 @@ const express = require('express') , router = express.Router() + , { enableUserBoards } = require(__dirname+'/../configs/main.json') , Boards = require(__dirname+'/../db/boards.js') , Posts = require(__dirname+'/../db/posts.js') , Mongo = require(__dirname+'/../db/db.js') @@ -47,6 +48,7 @@ const express = require('express') , spamCheck = require(__dirname+'/../helpers/checks/spamcheck.js') , paramConverter = require(__dirname+'/../helpers/paramconverter.js') , banCheck = require(__dirname+'/../helpers/checks/bancheck.js') + , isLoggedIn = require(__dirname+'/../helpers/checks/isloggedin.js') , verifyCaptcha = require(__dirname+'/../helpers/captcha/captchaverify.js') , actionHandler = require(__dirname+'/../models/forms/actionhandler.js') , csrf = require(__dirname+'/../helpers/checks/csrfmiddleware.js') @@ -143,7 +145,17 @@ router.post('/changepassword', verifyCaptcha, async (req, res, next) => { }); //create board -router.post('/create', csrf, verifyCaptcha, (req, res, next) => { +router.post('/create', csrf, isLoggedIn, verifyCaptcha, (req, res, next) => { + + res.locals.authLevel = checkPerms(req, res); + if (enableUserBoards === false && res.locals.authLevel !== 0) { + //only board admin can create boards when user board creation disabled + return res.status(400).render('message', { + 'title': 'Bad request', + 'error': 'Board creation is only available to site administration', + 'redirect': '/' + }) + } const errors = []; @@ -179,7 +191,7 @@ router.post('/create', csrf, verifyCaptcha, (req, res, next) => { 'title': 'Bad request', 'errors': errors, 'redirect': '/create.html' - }) + }); } createBoard(req, res, next); @@ -312,7 +324,7 @@ router.post('/board/:board/post', Boards.exists, banCheck, postFiles, paramConve }); //board settings -router.post('/board/:board/settings', csrf, Boards.exists, checkPermsMiddleware(2), paramConverter, async (req, res, next) => { +router.post('/board/:board/settings', csrf, Boards.exists, isLoggedIn, checkPermsMiddleware(2), paramConverter, async (req, res, next) => { const errors = []; @@ -367,7 +379,7 @@ router.post('/board/:board/settings', csrf, Boards.exists, checkPermsMiddleware( }); //upload banners -router.post('/board/:board/addbanners', bannerFiles, csrf, Boards.exists, checkPermsMiddleware(2), paramConverter, async (req, res, next) => { +router.post('/board/:board/addbanners', bannerFiles, csrf, Boards.exists, isLoggedIn, checkPermsMiddleware(2), paramConverter, async (req, res, next) => { if (req.files && req.files.file) { if (Array.isArray(req.files.file)) { @@ -406,7 +418,7 @@ router.post('/board/:board/addbanners', bannerFiles, csrf, Boards.exists, checkP }); //delete banners -router.post('/board/:board/deletebanners', csrf, Boards.exists, checkPermsMiddleware(2), paramConverter, async (req, res, next) => { +router.post('/board/:board/deletebanners', csrf, Boards.exists, isLoggedIn, checkPermsMiddleware(2), paramConverter, async (req, res, next) => { const errors = []; @@ -443,7 +455,7 @@ router.post('/board/:board/deletebanners', csrf, Boards.exists, checkPermsMiddle //actions for a specific board router.post('/board/:board/actions', Boards.exists, banCheck, paramConverter, verifyCaptcha, boardActionController); //Captcha on regular actions -router.post('/board/:board/modactions', csrf, Boards.exists, checkPermsMiddleware(3), paramConverter, boardActionController); //CSRF for mod actions +router.post('/board/:board/modactions', csrf, Boards.exists, isLoggedIn, checkPermsMiddleware(3), paramConverter, boardActionController); //CSRF for mod actions async function boardActionController(req, res, next) { const errors = []; @@ -518,7 +530,7 @@ async function boardActionController(req, res, next) { } //global actions (global manage page) -router.post('/global/actions', csrf, checkPermsMiddleware(1), paramConverter, globalActionController); +router.post('/global/actions', csrf, isLoggedIn, checkPermsMiddleware(1), paramConverter, globalActionController); async function globalActionController(req, res, next) { const errors = []; @@ -572,7 +584,7 @@ async function globalActionController(req, res, next) { } //unban -router.post('/board/:board/unban', csrf, Boards.exists, checkPermsMiddleware(3), paramConverter, async (req, res, next) => { +router.post('/board/:board/unban', csrf, Boards.exists, isLoggedIn, checkPermsMiddleware(3), paramConverter, async (req, res, next) => { //keep this for later in case i add other options to unbans const errors = []; @@ -604,7 +616,7 @@ router.post('/board/:board/unban', csrf, Boards.exists, checkPermsMiddleware(3), }); -router.post('/global/unban', csrf, checkPermsMiddleware(1), paramConverter, async(req, res, next) => { +router.post('/global/unban', csrf, isLoggedIn, checkPermsMiddleware(1), paramConverter, async(req, res, next) => { const errors = []; diff --git a/helpers/checks/bancheck.js b/helpers/checks/bancheck.js index 9721b8fe..e6238ac1 100644 --- a/helpers/checks/bancheck.js +++ b/helpers/checks/bancheck.js @@ -5,7 +5,8 @@ const Bans = require(__dirname+'/../../db/bans.js') module.exports = async (req, res, next) => { - if (hasPerms(req, res) <= 1) { + const permLevel = hasPerms(req, res); + if (permLevel >= 4) { const bans = await Bans.find(res.locals.ip, res.locals.board ? res.locals.board._id : null); if (bans && bans.length > 0) { //TODO: show posts banned for, expiry, etc