Fix post history for tor user and remove manual addban form from non-global manage pages (for now)

4 years ago · f1db4f7317
parent b50d39250a
commit f1db4f7317
5 changed files with 26 additions and 31 deletions
--- a/controllers/forms.js
+++ b/controllers/forms.js
@ -71,7 +71,8 @@ router.post('/board/:board/deleteboard', /*geoAndTor, torPreBypassCheck, process
 //global management forms
 router.post('/global/editbans', useSession, sessionRefresh, csrf, calcPerms, isLoggedIn, hasPerms(1), paramConverter, editBansController); //remove bans
-router.post('/global/addban', geoAndTor, torPreBypassCheck, processIp, useSession, sessionRefresh, csrf, calcPerms, isLoggedIn, hasPerms(1), paramConverter, addBanController); //add ban manually without post
+//commented out for now, because we cant add a manual ban based on a non existing hash suffix (or fetch the full hash from a non existing post), and the user wouldnt know if it the post didn't exist so its pointless anyway. 
 //router.post('/global/addban', geoAndTor, torPreBypassCheck, processIp, useSession, sessionRefresh, csrf, calcPerms, isLoggedIn, hasPerms(1), paramConverter, addBanController); //add ban manually without post
 router.post('/global/deleteboard', useSession, sessionRefresh, csrf, paramConverter, calcPerms, isLoggedIn, hasPerms(1), deleteBoardController); //delete board
 router.post('/global/addnews', useSession, sessionRefresh, csrf, calcPerms, isLoggedIn, hasPerms(0), addNewsController); //add new newspost
 router.post('/global/deletenews', useSession, sessionRefresh, csrf, calcPerms, isLoggedIn, hasPerms(0), paramConverter, deleteNewsController); //delete news
--- a/helpers/decodequeryip.js
+++ b/helpers/decodequeryip.js
@ -7,7 +7,7 @@ const escapeRegExp = require(__dirname+'/escaperegexp.js')
 module.exports = (query, permLevel) => {
 	if (query.ip && typeof query.ip === 'string') {
 		const decoded = decodeURIComponent(query.ip);
-		if (permLevel <= ipHashPermLevel && isIP(decoded)) { //if perms to view raw ip, allow querying
+		if (permLevel <= ipHashPermLevel && (isIP(decoded) || decoded.match(/[a-z0-9]{24}/i))) { //if perms to view raw ip or bypass, allow querying
 			return decoded;
 		} else if (decoded.length === 10) { //otherwise, only allow last 10 char substring
 			return new RegExp(`${escapeRegExp(decoded)}$`);
--- a/views/pages/managebans.pug
+++ b/views/pages/managebans.pug
@ -11,12 +11,6 @@ block content
 	br
 	+managenav('bans')
 	hr(size=1)
 	h4.no-m-p Add Ban:
 	.form-wrapper.flexleft
 		form.form-post(action=`/forms/board/${board._id}/addban`, enctype='application/x-www-form-urlencoded', method='POST')
 			input(type='hidden' name='_csrf' value=csrf)
 			include ../includes/addbanform.pug
 	hr(size=1)
 	h4.no-m-p Bans & Appeals:
 	form(action=`/forms/board/${board._id}/editbans` method='POST' enctype='application/x-www-form-urlencoded')
 		include ../includes/managebanform.pug