@ -46,8 +46,8 @@ const express = require('express')
, changeBoardSettings = require ( _ _dirname + '/../models/forms/changeboardsettings.js' )
, changeBoardSettings = require ( _ _dirname + '/../models/forms/changeboardsettings.js' )
, registerAccount = require ( _ _dirname + '/../models/forms/register.js' )
, registerAccount = require ( _ _dirname + '/../models/forms/register.js' )
, createBoard = require ( _ _dirname + '/../models/forms/create.js' )
, createBoard = require ( _ _dirname + '/../models/forms/create.js' )
, checkPermsMiddleware = require ( _ _dirname + '/../helpers/checks/has permsmiddleware.js' )
, calcPerms = require ( _ _dirname + '/../helpers/checks/calc permsmiddleware.js' )
, check Perms = require ( _ _dirname + '/../helpers/checks/hasperms.js' )
, has Perms = require ( _ _dirname + '/../helpers/checks/haspermsmiddleware .js' )
, spamCheck = require ( _ _dirname + '/../helpers/checks/spamcheck.js' )
, spamCheck = require ( _ _dirname + '/../helpers/checks/spamcheck.js' )
, paramConverter = require ( _ _dirname + '/../helpers/paramconverter.js' )
, paramConverter = require ( _ _dirname + '/../helpers/paramconverter.js' )
, banCheck = require ( _ _dirname + '/../helpers/checks/bancheck.js' )
, banCheck = require ( _ _dirname + '/../helpers/checks/bancheck.js' )
@ -149,10 +149,9 @@ router.post('/changepassword', verifyCaptcha, async (req, res, next) => {
} ) ;
} ) ;
//create board
//create board
router . post ( '/create' , csrf , isLoggedIn , verifyCaptcha , ( req , res , next ) => {
router . post ( '/create' , csrf , isLoggedIn , verifyCaptcha , calcPerms , hasPerms ( 4 ) , ( req , res , next ) => {
res . locals . authLevel = checkPerms ( req , res ) ;
if ( enableUserBoards === false && res . locals . permLevel !== 0 ) {
if ( enableUserBoards === false && res . locals . authLevel !== 0 ) {
//only board admin can create boards when user board creation disabled
//only board admin can create boards when user board creation disabled
return res . status ( 400 ) . render ( 'message' , {
return res . status ( 400 ) . render ( 'message' , {
'title' : 'Bad request' ,
'title' : 'Bad request' ,
@ -251,7 +250,7 @@ router.post('/register', verifyCaptcha, (req, res, next) => {
// make new post
// make new post
router . post ( '/board/:board/post' , Boards . exists , banCheck , postFiles , paramConverter , verifyCaptcha , async ( req , res , next ) => {
router . post ( '/board/:board/post' , Boards . exists , calcPerms , banCheck , postFiles , paramConverter , verifyCaptcha , async ( req , res , next ) => {
if ( req . files && req . files . file ) {
if ( req . files && req . files . file ) {
if ( Array . isArray ( req . files . file ) ) {
if ( Array . isArray ( req . files . file ) ) {
@ -333,7 +332,7 @@ router.post('/board/:board/post', Boards.exists, banCheck, postFiles, paramConve
} ) ;
} ) ;
//board settings
//board settings
router . post ( '/board/:board/settings' , csrf , Boards . exists , banCheck , isLoggedIn , checkPermsMiddleware ( 2 ) , paramConverter , async ( req , res , next ) => {
router . post ( '/board/:board/settings' , csrf , Boards . exists , calcPerms , banCheck , isLoggedIn , hasPerms ( 2 ) , paramConverter , async ( req , res , next ) => {
const errors = [ ] ;
const errors = [ ] ;
@ -394,7 +393,7 @@ router.post('/board/:board/settings', csrf, Boards.exists, banCheck, isLoggedIn,
} ) ;
} ) ;
//upload banners
//upload banners
router . post ( '/board/:board/addbanners' , bannerFiles , csrf , Boards . exists , banCheck , isLoggedIn , checkPermsMiddleware ( 2 ) , paramConverter , async ( req , res , next ) => {
router . post ( '/board/:board/addbanners' , bannerFiles , csrf , Boards . exists , calcPerms , banCheck , isLoggedIn , hasPerms ( 2 ) , paramConverter , async ( req , res , next ) => {
if ( req . files && req . files . file ) {
if ( req . files && req . files . file ) {
if ( Array . isArray ( req . files . file ) ) {
if ( Array . isArray ( req . files . file ) ) {
@ -433,7 +432,7 @@ router.post('/board/:board/addbanners', bannerFiles, csrf, Boards.exists, banChe
} ) ;
} ) ;
//delete banners
//delete banners
router . post ( '/board/:board/deletebanners' , csrf , Boards . exists , banCheck , isLoggedIn , checkPermsMiddleware ( 2 ) , paramConverter , async ( req , res , next ) => {
router . post ( '/board/:board/deletebanners' , csrf , Boards . exists , calcPerms , banCheck , isLoggedIn , hasPerms ( 2 ) , paramConverter , async ( req , res , next ) => {
const errors = [ ] ;
const errors = [ ] ;
@ -469,8 +468,8 @@ router.post('/board/:board/deletebanners', csrf, Boards.exists, banCheck, isLogg
} ) ;
} ) ;
//actions for a specific board
//actions for a specific board
router . post ( '/board/:board/actions' , Boards . exists , banCheck , paramConverter , verifyCaptcha , boardActionController ) ; //Captcha on regular actions
router . post ( '/board/:board/actions' , Boards . exists , calcPerms , banCheck , paramConverter , verifyCaptcha , boardActionController ) ; //Captcha on regular actions
router . post ( '/board/:board/modactions' , csrf , Boards . exists , banCheck , isLoggedIn , checkPermsMiddleware ( 3 ) , paramConverter , boardActionController ) ; //CSRF for mod actions
router . post ( '/board/:board/modactions' , csrf , Boards . exists , calcPerms , banCheck , isLoggedIn , hasPerms ( 3 ) , paramConverter , boardActionController ) ; //CSRF for mod actions
async function boardActionController ( req , res , next ) {
async function boardActionController ( req , res , next ) {
const errors = [ ] ;
const errors = [ ] ;
@ -488,9 +487,8 @@ async function boardActionController(req, res, next) {
}
}
//check if they have permission to perform the actions
//check if they have permission to perform the actions
res . locals . authLevel = checkPerms ( req , res ) ;
if ( res . locals . permLevel >= 4 ) {
if ( res . locals . authLevel >= 4 ) {
if ( res . locals . permLevel > res . locals . actions . authRequired ) {
if ( res . locals . authLevel > res . locals . actions . authRequired ) {
errors . push ( 'No permission' ) ;
errors . push ( 'No permission' ) ;
}
}
if ( req . body . delete && ! res . locals . board . settings . userPostDelete ) {
if ( req . body . delete && ! res . locals . board . settings . userPostDelete ) {
@ -545,7 +543,7 @@ async function boardActionController(req, res, next) {
}
}
//global actions (global manage page)
//global actions (global manage page)
router . post ( '/global/actions' , csrf , isLoggedIn , checkPermsMiddleware ( 1 ) , paramConverter , globalActionController ) ;
router . post ( '/global/actions' , csrf , calcPerms , isLoggedIn , hasPerms ( 1 ) , paramConverter , globalActionController ) ;
async function globalActionController ( req , res , next ) {
async function globalActionController ( req , res , next ) {
const errors = [ ] ;
const errors = [ ] ;
@ -599,7 +597,7 @@ async function globalActionController(req, res, next) {
}
}
//unban
//unban
router . post ( '/board/:board/unban' , csrf , Boards . exists , banCheck , isLoggedIn , checkPermsMiddleware ( 3 ) , paramConverter , async ( req , res , next ) => {
router . post ( '/board/:board/unban' , csrf , Boards . exists , calcPerms , banCheck , isLoggedIn , hasPerms ( 3 ) , paramConverter , async ( req , res , next ) => {
//keep this for later in case i add other options to unbans
//keep this for later in case i add other options to unbans
const errors = [ ] ;
const errors = [ ] ;
@ -632,7 +630,7 @@ router.post('/board/:board/unban', csrf, Boards.exists, banCheck, isLoggedIn, ch
} ) ;
} ) ;
//delete board
//delete board
router . post ( '/board/:board/deleteboard' , csrf , Boards . exists , banCheck , isLoggedIn , checkPermsMiddleware ( 2 ) , async ( req , res , next ) => {
router . post ( '/board/:board/deleteboard' , csrf , Boards . exists , calcPerms , banCheck , isLoggedIn , hasPerms ( 2 ) , async ( req , res , next ) => {
const errors = [ ] ;
const errors = [ ] ;
@ -673,7 +671,7 @@ router.post('/board/:board/deleteboard', csrf, Boards.exists, banCheck, isLogged
} ) ;
} ) ;
router . post ( '/global/unban' , csrf , isLoggedIn , checkPermsMiddleware ( 1 ) , paramConverter , async ( req , res , next ) => {
router . post ( '/global/unban' , csrf , calcPerms , isLoggedIn , hasPerms ( 1 ) , paramConverter , async ( req , res , next ) => {
const errors = [ ] ;
const errors = [ ] ;