github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-25 03:06:31 -05:00
Code Issues Projects Releases Packages Wiki Activity

Fix unauthenticated file uploads

Browse source 
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.

It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2020-11-23 12:50:39 +01:00 committed by David Mehren
parent dc29a286e6
commit d097211c54
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
lib/web/imageRouter/index.js
View file

@ -23,6 +23,9 @@ imageRouter.post('/uploadimage', function (req, res) {
if (err) { if (err) {
logger.error(`formidable error: ${err}`) logger.error(`formidable error: ${err}`)
return errors.errorForbidden(res) return errors.errorForbidden(res)
} else if (!req.isAuthenticated() && !config.allowAnonymous && !config.allowAnonymousEdits) {
logger.error(`formidable error: Anonymous edits and therefore uploads are not allowed)`)
return errors.errorForbidden(res)
} else if (!files.image || !files.image.path) { } else if (!files.image || !files.image.path) {
logger.error(`formidable error: Upload didn't contain file)`) logger.error(`formidable error: Upload didn't contain file)`)
return errors.errorBadRequest(res) return errors.errorBadRequest(res)