Skip to content

Commit

Permalink
fix: #7494
Browse files Browse the repository at this point in the history
  • Loading branch information
@barisusakli
barisusakli committed Mar 26, 2019
1 parent 63e16ec commit 8f55ab1
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 5 deletions.
3 changes: 3 additions & 0 deletions src/middleware/user.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,9 @@ module.exports = function (middleware) {
};

middleware.canViewUsers = function canViewUsers(req, res, next) {
if (parseInt(res.locals.uid, 10) === req.uid) {
return next();
}
privileges.global.can('view:users', req.uid, function (err, canView) {
if (err || canView) {
return next(err);
Expand Down
4 changes: 2 additions & 2 deletions src/routes/accounts.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ var helpers = require('./helpers');
var setupPageRoute = helpers.setupPageRoute;

module.exports = function (app, middleware, controllers) {
var middlewares = [middleware.canViewUsers, middleware.exposeUid];
var accountMiddlewares = [middleware.canViewUsers, middleware.checkAccountPermissions, middleware.exposeUid];
var middlewares = [middleware.exposeUid, middleware.canViewUsers];
var accountMiddlewares = [middleware.exposeUid, middleware.canViewUsers, middleware.checkAccountPermissions];

setupPageRoute(app, '/me/*', middleware, [], middleware.redirectMeToUserslug);
setupPageRoute(app, '/uid/:uid*', middleware, [], middleware.redirectUidToUserslug);
Expand Down
6 changes: 3 additions & 3 deletions src/routes/api.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ module.exports = function (app, middleware, controllers) {
}
}, controllers.api.getConfig);

router.get('/me', middleware.canViewUsers, controllers.user.getCurrentUser);
router.get('/me', controllers.user.getCurrentUser);
router.get('/user/uid/:uid', middleware.canViewUsers, controllers.user.getUserByUID);
router.get('/user/username/:username', middleware.canViewUsers, controllers.user.getUserByUsername);
router.get('/user/email/:email', middleware.canViewUsers, controllers.user.getUserByEmail);
Expand All @@ -40,8 +40,8 @@ module.exports = function (app, middleware, controllers) {
var middlewares = [middleware.maintenanceMode, multipartMiddleware, middleware.validateFiles, middleware.applyCSRF];
router.post('/post/upload', middlewares, uploadsController.uploadPost);
router.post('/topic/thumb/upload', middlewares, uploadsController.uploadThumb);
router.post('/user/:userslug/uploadpicture', middlewares.concat([middleware.authenticate, middleware.canViewUsers, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadPicture);
router.post('/user/:userslug/uploadpicture', middlewares.concat([middleware.exposeUid, middleware.authenticate, middleware.canViewUsers, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadPicture);

router.post('/user/:userslug/uploadcover', middlewares.concat([middleware.authenticate, middleware.canViewUsers, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadCoverPicture);
router.post('/user/:userslug/uploadcover', middlewares.concat([middleware.exposeUid, middleware.authenticate, middleware.canViewUsers, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadCoverPicture);
router.post('/groups/uploadpicture', middlewares.concat([middleware.authenticate]), controllers.groups.uploadCover);
};

0 comments on commit 8f55ab1

Please sign in to comment.