From 3331c0947cb6d63ce7f2846c38d5a7b82960b2eb Mon Sep 17 00:00:00 2001 From: Nicolas Dietrich Date: Fri, 22 Jan 2021 15:36:47 +0100 Subject: Minor refactoring of freeURL condition check Signed-off-by: Nicolas Dietrich --- lib/web/note/util.js | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'lib/web/note') diff --git a/lib/web/note/util.js b/lib/web/note/util.js index 9c6c1c8a..75f0c815 100644 --- a/lib/web/note/util.js +++ b/lib/web/note/util.js @@ -51,10 +51,12 @@ exports.newNote = function (req, res, body) { } else if (!config.allowAnonymous) { return errors.errorForbidden(res) } - if (config.allowFreeURL && noteId && !config.forbiddenNoteIDs.includes(noteId)) { - req.alias = noteId - } else if (noteId) { - return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res) + if (noteId) { + if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId)) { + req.alias = noteId + } else { + return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res) + } } models.Note.create({ ownerId: owner, -- cgit v1.2.3 From 497569fee4a841b13ed1606ca54f269162d3fa62 Mon Sep 17 00:00:00 2001 From: Nicolas Dietrich Date: Fri, 22 Jan 2021 16:47:47 +0100 Subject: Add config option which requires authentication in FreeURL mode This mitigates unintended note creation by bots or humans through a simple GET call. See discussion in #754. Signed-off-by: Nicolas Dietrich --- lib/web/note/util.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/web/note') diff --git a/lib/web/note/util.js b/lib/web/note/util.js index 75f0c815..57438515 100644 --- a/lib/web/note/util.js +++ b/lib/web/note/util.js @@ -52,7 +52,7 @@ exports.newNote = function (req, res, body) { return errors.errorForbidden(res) } if (noteId) { - if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId)) { + if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId) && (!config.requireFreeURLAuthentication || req.isAuthenticated())) { req.alias = noteId } else { return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res) -- cgit v1.2.3