summaryrefslogtreecommitdiff
path: root/lib/web
diff options
context:
space:
mode:
authorNicolas Dietrich2021-01-22 16:47:47 +0100
committerNicolas Dietrich2021-01-22 16:52:49 +0100
commit497569fee4a841b13ed1606ca54f269162d3fa62 (patch)
tree3ad268aa959c51630cbc61a2b2fa73095585193b /lib/web
parent3331c0947cb6d63ce7f2846c38d5a7b82960b2eb (diff)
Add config option which requires authentication in FreeURL mode
This mitigates unintended note creation by bots or humans through a simple GET call. See discussion in #754. Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
Diffstat (limited to 'lib/web')
-rw-r--r--lib/web/note/util.js2
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/web/note/util.js b/lib/web/note/util.js
index 75f0c815..57438515 100644
--- a/lib/web/note/util.js
+++ b/lib/web/note/util.js
@@ -52,7 +52,7 @@ exports.newNote = function (req, res, body) {
return errors.errorForbidden(res)
}
if (noteId) {
- if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId)) {
+ if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId) && (!config.requireFreeURLAuthentication || req.isAuthenticated())) {
req.alias = noteId
} else {
return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res)