Fix anonymouse view permission check

author: 蒼時弦也 2017-01-05 23:37:10 +0800
committer: 蒼時弦也 2017-01-05 23:37:10 +0800
commit: 1fbecbb03d8e94d310885da7d26e1654c548c364 (patch)
tree: 5c87b4cef4e679e381a4de2ea84adc3cdcfa68b2 /lib/response.js
parent: aaf1ff4b2f5ae7ae3a5e4e4a202422484503f559 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/response.js b/lib/response.js
index 69854815..e8430d60 100755
--- a/lib/response.js
+++ b/lib/response.js
@@ -117,12 +117,15 @@ function newNote(req, res, next) {
 }
 
 function checkViewPermission(req, note) {
-    if (note.permission == 'private' || !config.allowanonymousView) {
+    if (note.permission == 'private') {
         if (!req.isAuthenticated() || note.ownerId != req.user.id)
             return false;
         else
             return true;
     } else {
+        if(!config.allowanonymousView && !req.isAuthenticated()) {
+            return false;
+        }
         return true;
     }
 }
author	蒼時弦也	2017-01-05 23:37:10 +0800
committer	蒼時弦也	2017-01-05 23:37:10 +0800
commit	1fbecbb03d8e94d310885da7d26e1654c548c364 (patch)
tree	5c87b4cef4e679e381a4de2ea84adc3cdcfa68b2 /lib/response.js
parent	aaf1ff4b2f5ae7ae3a5e4e4a202422484503f559 (diff)