diff options
author | Sheogorath | 2020-11-23 12:50:39 +0100 |
---|---|---|
committer | David Mehren | 2020-12-27 19:51:01 +0100 |
commit | d097211c545118ac13626e1b0a01390b08880ad7 (patch) | |
tree | 06b8cbb06e247bef2b20d5eb7786a055fec31dc7 | |
parent | dc29a286e665555cccb92760908e50cd967fd2e7 (diff) |
Fix unauthenticated file uploads
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.
It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
-rw-r--r-- | lib/web/imageRouter/index.js | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js index b5c486c3..f456fd30 100644 --- a/lib/web/imageRouter/index.js +++ b/lib/web/imageRouter/index.js @@ -23,6 +23,9 @@ imageRouter.post('/uploadimage', function (req, res) { if (err) { logger.error(`formidable error: ${err}`) return errors.errorForbidden(res) + } else if (!req.isAuthenticated() && !config.allowAnonymous && !config.allowAnonymousEdits) { + logger.error(`formidable error: Anonymous edits and therefore uploads are not allowed)`) + return errors.errorForbidden(res) } else if (!files.image || !files.image.path) { logger.error(`formidable error: Upload didn't contain file)`) return errors.errorBadRequest(res) |