Fix unauthenticated file uploads

This patch fixes the issue of unauthenticated users, being able to upload files, even when anonymous edits are disabled. It's implemented by blocking uploads when either `allowAnonymous` is set to `false` for all unauthenticated users, unless `allowAnonymousEdits` is set to true, to make sure anonymous editors still experience the full feature set. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
author: Sheogorath 2020-11-23 12:50:39 +0100
committer: David Mehren 2020-12-27 19:51:01 +0100
commit: d097211c545118ac13626e1b0a01390b08880ad7 (patch)
tree: 06b8cbb06e247bef2b20d5eb7786a055fec31dc7 /lib
parent: dc29a286e665555cccb92760908e50cd967fd2e7 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js
index b5c486c3..f456fd30 100644
--- a/lib/web/imageRouter/index.js
+++ b/lib/web/imageRouter/index.js
@@ -23,6 +23,9 @@ imageRouter.post('/uploadimage', function (req, res) {
     if (err) {
       logger.error(`formidable error: ${err}`)
       return errors.errorForbidden(res)
+  } else if (!req.isAuthenticated() && !config.allowAnonymous && !config.allowAnonymousEdits) {
+      logger.error(`formidable error: Anonymous edits and therefore uploads are not allowed)`)
+      return errors.errorForbidden(res)
     } else if (!files.image || !files.image.path) {
       logger.error(`formidable error: Upload didn't contain file)`)
       return errors.errorBadRequest(res)
author	Sheogorath	2020-11-23 12:50:39 +0100
committer	David Mehren	2020-12-27 19:51:01 +0100
commit	d097211c545118ac13626e1b0a01390b08880ad7 (patch)
tree	06b8cbb06e247bef2b20d5eb7786a055fec31dc7 /lib
parent	dc29a286e665555cccb92760908e50cd967fd2e7 (diff)