status-im
/
codimd
mirror of https://github.com/status-im/codimd.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix(noteController): should check permission when user view note 

Signed-off-by: BoHong Li <raccoon@hackmd.io>
This commit is contained in:
BoHong Li 2020-02-07 10:55:50 +08:00
parent ea52ed8689
commit 7969d17366
No known key found for this signature in database
GPG Key ID: 06770355DC9ECD38
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
lib/note/index.js
View File

@ -77,6 +77,16 @@ async function showNote (req, res) {
return responseCodiMD(res, note)
}
function canViewNote (note, isLogin, userId) {
if (note.permission === 'private') {
return note.ownerId === userId
}
if (note.permission === 'limited' || note.permission === 'protected') {
return isLogin
}
return true
}
async function showPublishNote (req, res) {
const shortid = req.params.shortid
@ -84,6 +94,10 @@ async function showPublishNote (req, res) {
includeUser: true
})
if (!canViewNote(note, req.isAuthenticated(), req.user ? req.user.id : null)) {
return errorForbidden(req)
}
if (!note) {
return errorNotFound(res)
}
@ -130,10 +144,15 @@ async function noteActions (req, res) {
const noteId = req.params.noteId
const note = await getNoteById(noteId)
if (!note) {
return errorNotFound(res)
}
if (!canViewNote(note, req.isAuthenticated(), req.user ? req.user.id : null)) {
return errorForbidden(req)
}
const action = req.params.action
switch (action) {
case 'publish':