From 7969d173668b77ca7262a471333f72715b12f1f7 Mon Sep 17 00:00:00 2001
From: BoHong Li <raccoon@hackmd.io>
Date: Fri, 7 Feb 2020 10:55:50 +0800
Subject: [PATCH] fix(noteController): should check permission when user view
 note

Signed-off-by: BoHong Li <raccoon@hackmd.io>
---
 lib/note/index.js | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/lib/note/index.js b/lib/note/index.js
index 54bf5fba..10ae734b 100644
--- a/lib/note/index.js
+++ b/lib/note/index.js
@@ -77,6 +77,16 @@ async function showNote (req, res) {
   return responseCodiMD(res, note)
 }
 
+function canViewNote (note, isLogin, userId) {
+  if (note.permission === 'private') {
+    return note.ownerId === userId
+  }
+  if (note.permission === 'limited' || note.permission === 'protected') {
+    return isLogin
+  }
+  return true
+}
+
 async function showPublishNote (req, res) {
   const shortid = req.params.shortid
 
@@ -84,6 +94,10 @@ async function showPublishNote (req, res) {
     includeUser: true
   })
 
+  if (!canViewNote(note, req.isAuthenticated(), req.user ? req.user.id : null)) {
+    return errorForbidden(req)
+  }
+
   if (!note) {
     return errorNotFound(res)
   }
@@ -130,10 +144,15 @@ async function noteActions (req, res) {
   const noteId = req.params.noteId
 
   const note = await getNoteById(noteId)
+
   if (!note) {
     return errorNotFound(res)
   }
 
+  if (!canViewNote(note, req.isAuthenticated(), req.user ? req.user.id : null)) {
+    return errorForbidden(req)
+  }
+
   const action = req.params.action
   switch (action) {
     case 'publish':