From 124b06425214921c30a88e44a139b1cc8ca15b45 Mon Sep 17 00:00:00 2001 From: Erik Michelson Date: Mon, 29 Mar 2021 23:00:34 +0200 Subject: Check for existing notes on POST and dont override them Previously one could override notes in FreeURL-mode by sending multiple POST requests to the /new/ endpoint. This commit adds a check for an already existing note with the requested alias and returns a HTTP 409 Conflict error in case that happens. Signed-off-by: Erik Michelson --- lib/web/note/util.js | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'lib/web/note') diff --git a/lib/web/note/util.js b/lib/web/note/util.js index effeb41c..dbca5d8e 100644 --- a/lib/web/note/util.js +++ b/lib/web/note/util.js @@ -46,7 +46,7 @@ exports.checkViewPermission = function (req, note) { } } -exports.newNote = function (req, res, body) { +exports.newNote = async function (req, res, body) { let owner = null const noteId = req.params.noteId ? req.params.noteId : null if (req.isAuthenticated()) { @@ -60,6 +60,19 @@ exports.newNote = function (req, res, body) { } else { return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res) } + try { + const count = await models.Note.count({ + where: { + alias: req.alias + } + }) + if (count > 0) { + return errors.errorConflict(res) + } + } catch (err) { + logger.error(err) + return errors.errorInternalError(res) + } } models.Note.create({ ownerId: owner, -- cgit v1.2.3 From dcea082286ce5c41e50f70820c065c677a176fc7 Mon Sep 17 00:00:00 2001 From: Erik Michelson Date: Mon, 29 Mar 2021 23:07:11 +0200 Subject: Add better logging messages Signed-off-by: Erik Michelson --- lib/web/note/util.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/web/note') diff --git a/lib/web/note/util.js b/lib/web/note/util.js index dbca5d8e..5df1e820 100644 --- a/lib/web/note/util.js +++ b/lib/web/note/util.js @@ -70,7 +70,7 @@ exports.newNote = async function (req, res, body) { return errors.errorConflict(res) } } catch (err) { - logger.error(err) + logger.error('Error while checking for possible duplicate: ' + err) return errors.errorInternalError(res) } } @@ -82,7 +82,7 @@ exports.newNote = async function (req, res, body) { }).then(function (note) { return res.redirect(config.serverURL + '/' + (note.alias ? note.alias : models.Note.encodeNoteId(note.id))) }).catch(function (err) { - logger.error(err) + logger.error('Note could not be created: ' + err) return errors.errorInternalError(res) }) } -- cgit v1.2.3