Close #480 dont show "register" on login page if not allowed for regular user, since users might reach it clicking "manage" after the login redirect

2 years ago · 9c5dd5efa8
parent 9517ec2f05
commit 9c5dd5efa8
4 changed files with 6 additions and 4 deletions
--- a/configs/nginx/snippets/jschan_common_routes.conf
+++ b/configs/nginx/snippets/jschan_common_routes.conf
@ -29,7 +29,7 @@ location /captcha {
 }

 # authed, no cache pages
-location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|editnews/.*|accounts|editaccount/.*|roles|editrole/.*|settings))|sessions|mypermissions|account|create|csrf)\.(html|json)$ {
+location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|editnews/.*|accounts|editaccount/.*|roles|editrole/.*|settings))|sessions|mypermissions|account|create|csrf|login)\.(html|json)$ {
 	expires 0;
 	try_files /dev/null @backend-private;
 }
--- a/controllers/pages.js
+++ b/controllers/pages.js
@ -120,7 +120,7 @@ router.get('/bypass_minimal.html', setMinimal, blockBypass); //block bypass page
 router.get('/account.html', useSession, sessionRefresh, isLoggedIn, calcPerms, csrf, account); //page showing boards you are mod/owner of, links to password rese, logout, etc
 router.get('/mypermissions.html', useSession, sessionRefresh, isLoggedIn, calcPerms, myPermissions);
 router.get('/sessions.html', useSession, sessionRefresh, isLoggedIn, calcPerms, csrf, sessions);
-router.get('/login.html', login);
+router.get('/login.html', useSession, sessionRefresh, calcPerms, login);
 router.get('/register.html', register);
 router.get('/changepassword.html', changePassword);
 router.get('/create.html', useSession, sessionRefresh, isLoggedIn, create); //create new board
--- a/models/pages/login.js
+++ b/models/pages/login.js
@ -3,7 +3,8 @@
 module.exports = async (req, res) => {

 	res.render('login', {
-		'goto': (typeof req.query.goto === 'string' ? req.query.goto : null)
+		goto: (typeof req.query.goto === 'string' ? req.query.goto : null),
+		permissions: res.locals.permissions,
 	});

 };
--- a/views/pages/login.pug
+++ b/views/pages/login.pug
@ -15,6 +15,7 @@ block content
 				.label Password
 				input(type='password', name='password', maxlength='100' required)
 			input(type='submit', value='Submit')
-		p: a(href='/register.html') Register
+		if permissions.get(Permissions.CREATE_ACCOUNT)
+			p: a(href='/register.html') Register
 		p: a(href='/changepassword.html') Change Password