Check for existing notes on POST and dont override them

Previously one could override notes in FreeURL-mode by sending multiple POST requests to the /new/<alias> endpoint. This commit adds a check for an already existing note with the requested alias and returns a HTTP 409 Conflict error in case that happens. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
2025-03-25 06:54:30 +00:00 · 2021-03-29 23:00:34 +02:00 · 2021-03-29 23:00:34 +02:00 · 124b064252
commit 124b064252
parent 6531ea1a21
2 changed files with 17 additions and 1 deletions
--- a/lib/errors.js
+++ b/lib/errors.js
@ -20,6 +20,9 @@ module.exports = {
  errorBadRequest: function (res) {
    responseError(res, '400', 'Bad Request', 'something not right.')
  },
+  errorConflict: function (res) {
+    responseError(res, '409', 'Conflict', 'This note already exists.')
+  },
  errorTooLong: function (res) {
    responseError(res, '413', 'Payload Too Large', 'Shorten your note!')
  },
--- a/lib/web/note/util.js
+++ b/lib/web/note/util.js
@ -46,7 +46,7 @@ exports.checkViewPermission = function (req, note) {
  }
 }

-exports.newNote = function (req, res, body) {
+exports.newNote = async function (req, res, body) {
  let owner = null
  const noteId = req.params.noteId ? req.params.noteId : null
  if (req.isAuthenticated()) {
@ -60,6 +60,19 @@ exports.newNote = function (req, res, body) {
    } else {
      return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res)
    }
+    try {
+      const count = await models.Note.count({
+        where: {
+          alias: req.alias
+        }
+      })
+      if (count > 0) {
+        return errors.errorConflict(res)
+      }
+    } catch (err) {
+      logger.error(err)
+      return errors.errorInternalError(res)
+    }
  }
  models.Note.create({
    ownerId: owner,