From a1e3f72fab8817d0c40f8c7049d3648b2ba63215 Mon Sep 17 00:00:00 2001 From: Andrea Vos Date: Thu, 2 Dec 2021 19:11:04 +0100 Subject: [PATCH] [security] #286 prevent banned users from submitting content --- server/index.js | 4 ++++ server/routes/census.js | 2 +- server/routes/inclusive.js | 10 +++++----- server/routes/names.js | 10 +++++----- server/routes/nouns.js | 10 +++++----- server/routes/sources.js | 10 +++++----- server/routes/terms.js | 10 +++++----- server/routes/user.js | 2 +- 8 files changed, 31 insertions(+), 27 deletions(-) diff --git a/server/index.js b/server/index.js index 35dd97f1f..270c3c8f3 100644 --- a/server/index.js +++ b/server/index.js @@ -67,6 +67,10 @@ app.use(async function (req, res, next) { req.user = req.rawUser && req.rawUser.authenticated ? req.rawUser : null; req.isGranted = (area = '', locale = global.config.locale) => req.user && isGranted(req.user, locale, area); req.db = new LazyDatabase(); + req.isUserAllowedToPost = async () => { + const user = await req.db.get(SQL`SELECT bannedReason FROM users WHERE id = ${req.user.id}`); + return user && !user.bannedReason; + } res.on('finish', async () => { await req.db.close(); }); diff --git a/server/routes/census.js b/server/routes/census.js index 1f7cff388..52c620092 100644 --- a/server/routes/census.js +++ b/server/routes/census.js @@ -78,7 +78,7 @@ router.get('/census/count', handleErrorAsync(async (req, res) => { router.get('/census/export', handleErrorAsync(async (req, res) => { if (!req.isGranted('census')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } const report = []; diff --git a/server/routes/inclusive.js b/server/routes/inclusive.js index da34e4f82..be99f4550 100644 --- a/server/routes/inclusive.js +++ b/server/routes/inclusive.js @@ -49,8 +49,8 @@ router.get('/inclusive/search/:term', handleErrorAsync(async (req, res) => { })); router.post('/inclusive/submit', handleErrorAsync(async (req, res) => { - if (!req.user) { - res.status(401).json({error: 'Unauthorised'}); + if (!req.user || !await req.isUserAllowedToPost()) { + return res.status(401).json({error: 'Unauthorised'}); } if (!(req.user && req.user.admin) && isTroll(JSON.stringify(req.body))) { @@ -77,7 +77,7 @@ router.post('/inclusive/submit', handleErrorAsync(async (req, res) => { router.post('/inclusive/hide/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('inclusive')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await req.db.get(SQL` @@ -93,7 +93,7 @@ router.post('/inclusive/hide/:id', handleErrorAsync(async (req, res) => { router.post('/inclusive/approve/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('inclusive')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await approve(req.db, req.params.id); @@ -103,7 +103,7 @@ router.post('/inclusive/approve/:id', handleErrorAsync(async (req, res) => { router.post('/inclusive/remove/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('inclusive')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await req.db.get(SQL` diff --git a/server/routes/names.js b/server/routes/names.js index 89896bd5b..4f4d6469e 100644 --- a/server/routes/names.js +++ b/server/routes/names.js @@ -37,8 +37,8 @@ router.get('/names', handleErrorAsync(async (req, res) => { })); router.post('/names/submit', handleErrorAsync(async (req, res) => { - if (!req.user) { - res.status(401).json({error: 'Unauthorised'}); + if (!req.user || !await req.isUserAllowedToPost()) { + return res.status(401).json({error: 'Unauthorised'}); } if (!(req.user && req.user.admin) && isTroll(JSON.stringify(req.body))) { @@ -68,7 +68,7 @@ router.post('/names/submit', handleErrorAsync(async (req, res) => { router.post('/names/hide/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('names')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await req.db.get(SQL` @@ -84,7 +84,7 @@ router.post('/names/hide/:id', handleErrorAsync(async (req, res) => { router.post('/names/approve/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('names')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await approve(req.db, req.params.id); @@ -94,7 +94,7 @@ router.post('/names/approve/:id', handleErrorAsync(async (req, res) => { router.post('/names/remove/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('names')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await req.db.get(SQL` diff --git a/server/routes/nouns.js b/server/routes/nouns.js index 917093100..feef7326f 100644 --- a/server/routes/nouns.js +++ b/server/routes/nouns.js @@ -97,8 +97,8 @@ router.get('/nouns/search/:term', handleErrorAsync(async (req, res) => { })); router.post('/nouns/submit', handleErrorAsync(async (req, res) => { - if (!req.user) { - res.status(401).json({error: 'Unauthorised'}); + if (!req.user || !await req.isUserAllowedToPost()) { + return res.status(401).json({error: 'Unauthorised'}); } if (!(req.user && req.user.admin) && isTroll(JSON.stringify(req.body))) { @@ -126,7 +126,7 @@ router.post('/nouns/submit', handleErrorAsync(async (req, res) => { router.post('/nouns/hide/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('nouns')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await req.db.get(SQL` @@ -142,7 +142,7 @@ router.post('/nouns/hide/:id', handleErrorAsync(async (req, res) => { router.post('/nouns/approve/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('nouns')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await approve(req.db, req.params.id); @@ -152,7 +152,7 @@ router.post('/nouns/approve/:id', handleErrorAsync(async (req, res) => { router.post('/nouns/remove/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('nouns')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await req.db.get(SQL` diff --git a/server/routes/sources.js b/server/routes/sources.js index 059479d6f..d3e4c6ebe 100644 --- a/server/routes/sources.js +++ b/server/routes/sources.js @@ -83,8 +83,8 @@ router.get('/sources/:id', handleErrorAsync(async (req, res) => { })); router.post('/sources/submit', handleErrorAsync(async (req, res) => { - if (!req.user) { - res.status(401).json({error: 'Unauthorised'}); + if (!req.user || !await req.isUserAllowedToPost()) { + return res.status(401).json({error: 'Unauthorised'}); } const id = ulid(); @@ -108,7 +108,7 @@ router.post('/sources/submit', handleErrorAsync(async (req, res) => { router.post('/sources/hide/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('sources')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await req.db.get(SQL` @@ -122,7 +122,7 @@ router.post('/sources/hide/:id', handleErrorAsync(async (req, res) => { router.post('/sources/approve/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('sources')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await approve(req.db, req.params.id); @@ -132,7 +132,7 @@ router.post('/sources/approve/:id', handleErrorAsync(async (req, res) => { router.post('/sources/remove/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('sources')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await req.db.get(SQL` diff --git a/server/routes/terms.js b/server/routes/terms.js index ebaee6829..71fd9cb4a 100644 --- a/server/routes/terms.js +++ b/server/routes/terms.js @@ -82,8 +82,8 @@ router.get('/terms/search/:term', handleErrorAsync(async (req, res) => { })); router.post('/terms/submit', handleErrorAsync(async (req, res) => { - if (!req.user) { - res.status(401).json({error: 'Unauthorised'}); + if (!req.user || !await req.isUserAllowedToPost()) { + return res.status(401).json({error: 'Unauthorised'}); } if (!(req.user && req.user.admin) && isTroll(JSON.stringify(req.body))) { @@ -110,7 +110,7 @@ router.post('/terms/submit', handleErrorAsync(async (req, res) => { router.post('/terms/hide/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('terms')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await req.db.get(SQL` @@ -126,7 +126,7 @@ router.post('/terms/hide/:id', handleErrorAsync(async (req, res) => { router.post('/terms/approve/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('terms')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await approve(req.db, req.params.id); @@ -136,7 +136,7 @@ router.post('/terms/approve/:id', handleErrorAsync(async (req, res) => { router.post('/terms/remove/:id', handleErrorAsync(async (req, res) => { if (!req.isGranted('terms')) { - res.status(401).json({error: 'Unauthorised'}); + return res.status(401).json({error: 'Unauthorised'}); } await req.db.get(SQL` diff --git a/server/routes/user.js b/server/routes/user.js index 07bf31f96..91814a19c 100644 --- a/server/routes/user.js +++ b/server/routes/user.js @@ -504,7 +504,7 @@ router.get('/admin/impersonate/:email', handleErrorAsync(async (req, res) => { return res.status(401).json({error: 'Unauthorised'}); } - res.json({token: await issueAuthentication(req.db, {email: req.params.email})}); + return res.json({token: await issueAuthentication(req.db, {email: req.params.email})}); })); export default router;