From d097211c545118ac13626e1b0a01390b08880ad7 Mon Sep 17 00:00:00 2001
From: Sheogorath
Date: Mon, 23 Nov 2020 12:50:39 +0100
Subject: Fix unauthenticated file uploads

This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.

It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
---
 lib/web/imageRouter/index.js | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'lib/web')

diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js
index b5c486c3..f456fd30 100644
--- a/lib/web/imageRouter/index.js
+++ b/lib/web/imageRouter/index.js
@@ -23,6 +23,9 @@ imageRouter.post('/uploadimage', function (req, res) {
     if (err) {
       logger.error(`formidable error: ${err}`)
       return errors.errorForbidden(res)
+  } else if (!req.isAuthenticated() && !config.allowAnonymous && !config.allowAnonymousEdits) {
+      logger.error(`formidable error: Anonymous edits and therefore uploads are not allowed)`)
+      return errors.errorForbidden(res)
     } else if (!files.image || !files.image.path) {
       logger.error(`formidable error: Upload didn't contain file)`)
       return errors.errorBadRequest(res)
-- 
cgit v1.2.3