Check for existing notes on POST and dont override them

Previously one could override notes in FreeURL-mode by sending multiple POST requests to the /new/<alias> endpoint. This commit adds a check for an already existing note with the requested alias and returns a HTTP 409 Conflict error in case that happens.

Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>

2 files changed, 17 insertions, 1 deletions

diff --git a/lib/errors.js b/lib/errors.js
index 950b4cae..599f54b2 100644
--- a/lib/errors.js
+++ b/lib/errors.js
@@ -20,6 +20,9 @@ module.exports = {
   errorBadRequest: function (res) {
     responseError(res, '400', 'Bad Request', 'something not right.')
   },
+  errorConflict: function (res) {
+    responseError(res, '409', 'Conflict', 'This note already exists.')
+  },
   errorTooLong: function (res) {
     responseError(res, '413', 'Payload Too Large', 'Shorten your note!')
   },
diff --git a/lib/web/note/util.js b/lib/web/note/util.js
index effeb41c..dbca5d8e 100644
--- a/lib/web/note/util.js
+++ b/lib/web/note/util.js
@@ -46,7 +46,7 @@ exports.checkViewPermission = function (req, note) {
   }
 }
 
-exports.newNote = function (req, res, body) {
+exports.newNote = async function (req, res, body) {
   let owner = null
   const noteId = req.params.noteId ? req.params.noteId : null
   if (req.isAuthenticated()) {
@@ -60,6 +60,19 @@ exports.newNote = function (req, res, body) {
     } else {
       return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res)
     }
+    try {
+      const count = await models.Note.count({
+        where: {
+          alias: req.alias
+        }
+      })
+      if (count > 0) {
+        return errors.errorConflict(res)
+      }
+    } catch (err) {
+      logger.error(err)
+      return errors.errorInternalError(res)
+    }
   }
   models.Note.create({
     ownerId: owner,