summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSheogorath2020-11-23 12:50:39 +0100
committerDavid Mehren2020-12-27 19:51:01 +0100
commitd097211c545118ac13626e1b0a01390b08880ad7 (patch)
tree06b8cbb06e247bef2b20d5eb7786a055fec31dc7
parentdc29a286e665555cccb92760908e50cd967fd2e7 (diff)
Fix unauthenticated file uploads
This patch fixes the issue of unauthenticated users, being able to upload files, even when anonymous edits are disabled. It's implemented by blocking uploads when either `allowAnonymous` is set to `false` for all unauthenticated users, unless `allowAnonymousEdits` is set to true, to make sure anonymous editors still experience the full feature set. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
-rw-r--r--lib/web/imageRouter/index.js3
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js
index b5c486c3..f456fd30 100644
--- a/lib/web/imageRouter/index.js
+++ b/lib/web/imageRouter/index.js
@@ -23,6 +23,9 @@ imageRouter.post('/uploadimage', function (req, res) {
if (err) {
logger.error(`formidable error: ${err}`)
return errors.errorForbidden(res)
+ } else if (!req.isAuthenticated() && !config.allowAnonymous && !config.allowAnonymousEdits) {
+ logger.error(`formidable error: Anonymous edits and therefore uploads are not allowed)`)
+ return errors.errorForbidden(res)
} else if (!files.image || !files.image.path) {
logger.error(`formidable error: Upload didn't contain file)`)
return errors.errorBadRequest(res)