Skip to content
Permalink
Browse files

add referer check to /api/admin/users/csv

  • Loading branch information
barisusakli committed Dec 1, 2017
1 parent e3fd402 commit e6d31c8bd212d46272864103896728b70602c2da
Showing with 36 additions and 1 deletion.
  1. +6 −0 src/controllers/admin/users.js
  2. +30 −1 test/controllers-admin.js
@@ -2,6 +2,7 @@

var async = require('async');
var validator = require('validator');
var nconf = require('nconf');

var user = require('../../user');
var meta = require('../../meta');
@@ -183,6 +184,11 @@ function render(req, res, data) {
}

usersController.getCSV = function (req, res, next) {
var referer = req.headers.referer;

if (!referer || !referer.replace(nconf.get('url'), '').startsWith('/admin/manage/users')) {
return res.status(403).send('[[error:invalid-origin]]');
}
events.log({
type: 'getUsersCSV',
uid: req.user.uid,
@@ -255,9 +255,38 @@ describe('Admin Controllers', function () {
});
});

it('should load /admin/users/csv', function (done) {
it('should return 403 if no referer', function (done) {
request(nconf.get('url') + '/api/admin/users/csv', { jar: jar }, function (err, res, body) {
assert.ifError(err);
assert.equal(res.statusCode, 403);
assert.equal(body, '[[error:invalid-origin]]');
done();
});
});

it('should return 403 if referer is not /admin/users/csv', function (done) {
request(nconf.get('url') + '/api/admin/users/csv', {
jar: jar,
headers: {
referer: '/topic/1/test',
},
}, function (err, res, body) {
assert.ifError(err);
assert.equal(res.statusCode, 403);
assert.equal(body, '[[error:invalid-origin]]');
done();
});
});

it('should load /admin/users/csv', function (done) {
request(nconf.get('url') + '/api/admin/users/csv', {
jar: jar,
headers: {
referer: nconf.get('url') + '/admin/manage/users',
},
}, function (err, res, body) {
assert.ifError(err);
assert.equal(res.statusCode, 200);
assert(body);
done();
});

0 comments on commit e6d31c8

Please sign in to comment.