Home Explore Help
Sign In
kris
/
MusareFork
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Patched some security issues.

KrisVos130 8 years ago
parent
ace32436b2
commit
e2cdc4b9ee
3 changed files with 14 additions and 3 deletions
Split View Show Diff Stats
  1. 12 0
      backend/logic/actions/users.js
  2. 0 1
      backend/logic/app.js
  3. 2 2
      frontend/components/User/Settings.vue

+ 12 - 0
backend/logic/actions/users.js
View File 

@@ -386,6 +386,12 @@ module.exports = {
 
 	updateUsername: hooks.loginRequired((session, updatingUserId, newUsername, cb, userId) => {
 
 		async.waterfall([
 
 			(next) => {
 
+				if (updatingUserId === userId) return next(null, true);
 
+				db.models.user.findOne({_id: userId}, next);
 
+			},
 
+
 
+			(user, next) => {
 
+				if (user !== true && (!user || user.role !== 'admin')) return next('Invalid permissions.');
 
 				db.models.user.findOne({ _id: updatingUserId }, next);
 
 			},
 
 
@@ -438,6 +444,12 @@ module.exports = {
 
 		let verificationToken = utils.generateRandomString(64);
 
 		async.waterfall([
 
 			(next) => {
 
+				if (updatingUserId === userId) return next(null, true);
 
+				db.models.user.findOne({_id: userId}, next);
 
+			},
 
+
 
+			(user, next) => {
 
+				if (user !== true && (!user || user.role !== 'admin')) return next('Invalid permissions.');
 
 				db.models.user.findOne({ _id: updatingUserId }, next);
 
 			},

+ 0 - 1
backend/logic/app.js
View File 

@@ -150,7 +150,6 @@ const lib = {
 
 				(httpResponse, body2, next) => {
 
 					body2 = JSON.parse(body2);
 
 					if (!Array.isArray(body2)) return next(body2.message);
 
-					let address;
 
 					body2.forEach(email => {
 
 						if (email.primary) address = email.email.toLowerCase();
 
 					});

+ 2 - 2
frontend/components/User/Settings.vue
View File 

@@ -124,7 +124,7 @@
 
 		methods: {
 
 			changeEmail: function () {
 
 				if (!this.user.email.address) return Toast.methods.addToast('Email cannot be empty', 8000);
 
-				this.socket.emit('users.updateEmail', this.user.email.address, res => {
 
+				this.socket.emit('users.updateEmail', this.$parent.userId, this.user.email.address, res => {
 
 					if (res.status !== 'success') Toast.methods.addToast(res.message, 8000);
 
 					else Toast.methods.addToast('Successfully changed email address', 4000);
 
 				});
 
@@ -132,7 +132,7 @@
 
 			changeUsername: function () {
 
 				let _this = this;
 
 				if (!_this.user.username) return Toast.methods.addToast('Username cannot be empty', 8000);
 
-				_this.socket.emit('users.updateUsername', _this.user.username, res => {
 
+				_this.socket.emit('users.updateUsername', this.$parent.userId, _this.user.username, res => {
 
 					if (res.status !== 'success') Toast.methods.addToast(res.message, 8000);
 
 					else Toast.methods.addToast('Successfully changed username', 4000);
 
 				});