fix(writeapi): calls to profile editing routes 200 even if user DNE

NodeBB · Oct 8, 2020 · 8e7baac · 8e7baac
1 parent 7757f96
commit 8e7baac
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 7 deletions.
diff --git a/src/middleware/assert.js b/src/middleware/assert.js
@@ -5,12 +5,21 @@
  * payload and throw an error otherwise.
  */
 
+const user = require('../user');
 const groups = require('../groups');
 const topics = require('../topics');
 
 const helpers = require('../controllers/helpers');
 
 module.exports = function (middleware) {
+	middleware.assertUser = async (req, res, next) => {
+		if (!await user.exists(req.params.uid)) {
+			return helpers.formatApiResponse(404, res, new Error('[[error:no-user]]'));
+		}
+
+		next();
+	};
+
 	middleware.assertGroup = async (req, res, next) => {
 		const name = await groups.getGroupNameByGroupSlug(req.params.slug);
 		if (!name || await groups.exists(name)) {

diff --git a/src/routes/write/users.js b/src/routes/write/users.js
@@ -18,16 +18,16 @@ function authenticatedRoutes() {
 	setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['username']), middleware.isAdmin], 'post', controllers.write.users.create);
 	setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['uids']), middleware.isAdmin, middleware.exposePrivileges], 'delete', controllers.write.users.deleteMany);
 
-	setupApiRoute(router, '/:uid', middleware, [...middlewares], 'put', controllers.write.users.update);
-	setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.exposePrivileges], 'delete', controllers.write.users.delete);
+	setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assertUser], 'put', controllers.write.users.update);
+	setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'delete', controllers.write.users.delete);
 
-	setupApiRoute(router, '/:uid/password', middleware, [...middlewares, middleware.checkRequired.bind(null, ['newPassword'])], 'put', controllers.write.users.changePassword);
+	setupApiRoute(router, '/:uid/password', middleware, [...middlewares, middleware.checkRequired.bind(null, ['newPassword']), middleware.assertUser], 'put', controllers.write.users.changePassword);
 
-	setupApiRoute(router, '/:uid/follow', middleware, [...middlewares], 'put', controllers.write.users.follow);
-	setupApiRoute(router, '/:uid/follow', middleware, [...middlewares], 'delete', controllers.write.users.unfollow);
+	setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assertUser], 'put', controllers.write.users.follow);
+	setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assertUser], 'delete', controllers.write.users.unfollow);
 
-	setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.exposePrivileges], 'put', controllers.write.users.ban);
-	setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.exposePrivileges], 'delete', controllers.write.users.unban);
+	setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'put', controllers.write.users.ban);
+	setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'delete', controllers.write.users.unban);
 
 	/**
 	 * Chat routes were not migrated because chats may get refactored... also the logic is derpy