From a0f156e1a983d01e75e1132cc4cc5fbd8766a1fe Mon Sep 17 00:00:00 2001
From: Shane Kilkelly <shane@kilkelly.me>
Date: Thu, 22 Sep 2016 15:33:50 +0100
Subject: [PATCH] wipe out more session access

---
 .../app/coffee/Features/Errors/ErrorController.coffee | 10 ++++++----
 .../Features/StaticPages/UniversityController.coffee  | 11 +++++------
 .../Subscription/SubscriptionGroupController.coffee   |  5 +++--
 .../app/coffee/Features/User/UserController.coffee    |  4 ++--
 .../app/coffee/infrastructure/ExpressLocals.coffee    |  8 +++++---
 5 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/services/web/app/coffee/Features/Errors/ErrorController.coffee b/services/web/app/coffee/Features/Errors/ErrorController.coffee
index 16b160642a..861a1362b2 100644
--- a/services/web/app/coffee/Features/Errors/ErrorController.coffee
+++ b/services/web/app/coffee/Features/Errors/ErrorController.coffee
@@ -1,5 +1,6 @@
 Errors = require "./Errors"
 logger = require "logger-sharelatex"
+AuthenticationController = require '../Authentication/AuthenticationController'
 
 module.exports = ErrorController =
 	notFound: (req, res)->
@@ -11,15 +12,16 @@ module.exports = ErrorController =
 		res.status(500)
 		res.render 'general/500',
 			title: "Server Error"
-	
+
 	handleError: (error, req, res, next) ->
+		user = AuthenticationController.getSessionUser(req)
 		if error?.code is 'EBADCSRFTOKEN'
-			logger.warn err: error,url:req.url, method:req.method, user:req?.sesson?.user, "invalid csrf"
+			logger.warn err: error,url:req.url, method:req.method, user:user, "invalid csrf"
 			res.sendStatus(403)
 			return
 		if error instanceof Errors.NotFoundError
 			logger.warn {err: error, url: req.url}, "not found error"
 			ErrorController.notFound req, res
 		else
-			logger.error err: error, url:req.url, method:req.method, user:req?.sesson?.user, "error passed to top level next middlewear"
-			ErrorController.serverError req, res
\ No newline at end of file
+			logger.error err: error, url:req.url, method:req.method, user:user, "error passed to top level next middlewear"
+			ErrorController.serverError req, res
diff --git a/services/web/app/coffee/Features/StaticPages/UniversityController.coffee b/services/web/app/coffee/Features/StaticPages/UniversityController.coffee
index 5d405057ad..ed3556292a 100644
--- a/services/web/app/coffee/Features/StaticPages/UniversityController.coffee
+++ b/services/web/app/coffee/Features/StaticPages/UniversityController.coffee
@@ -9,15 +9,16 @@ Settings = require("settings-sharelatex")
 contentful = require('contentful')
 marked = require("marked")
 sixpack = require("../../infrastructure/Sixpack")
+AuthenticationController = require '../Authentication/AuthenticationController'
 
 
 
-module.exports = UniversityController = 
+module.exports = UniversityController =
 
 	getPage: (req, res, next)->
 		url = req.url?.toLowerCase()
 		universityUrl = "#{settings.apis.university.url}#{url}"
-		if StaticPageHelpers.shouldProxy(url) 
+		if StaticPageHelpers.shouldProxy(url)
 			return UniversityController._directProxy universityUrl, res
 
 		logger.log url:url, "proxying request to university api"
@@ -36,7 +37,8 @@ module.exports = UniversityController =
 
 
 	getIndexPage: (req, res)->
-		client = sixpack.client(req?.session?.user?._id?.toString() || req.ip)
+		user = AuthenticationController.getSessionUser(req)
+		client = sixpack.client(user?._id?.toString() || req.ip)
 		client.participate 'instapage-pages', ['default', 'instapage'], (err, response)->
 			if response?.alternative?.name == "instapage"
 				return res.redirect("/i/university")
@@ -70,6 +72,3 @@ module.exports = UniversityController =
 				viewData = entry.items[0].fields
 				viewData.html = marked(viewData.content)
 				res.render "university/case_study", viewData:viewData
-
-
-
diff --git a/services/web/app/coffee/Features/Subscription/SubscriptionGroupController.coffee b/services/web/app/coffee/Features/Subscription/SubscriptionGroupController.coffee
index 91de537058..3e49cd20bd 100644
--- a/services/web/app/coffee/Features/Subscription/SubscriptionGroupController.coffee
+++ b/services/web/app/coffee/Features/Subscription/SubscriptionGroupController.coffee
@@ -92,11 +92,12 @@ module.exports =
 				res.sendStatus 200
 
 	completeJoin: (req, res)->
+		currentUser = AuthenticationController.getSessionUser(req)
 		subscription_id = req.params.subscription_id
 		if !SubscriptionDomainHandler.findDomainLicenceBySubscriptionId(subscription_id)?
 			return ErrorsController.notFound(req, res)
-		email = req?.session?.user?.email
-		logger.log subscription_id:subscription_id, user_id:req?.session?.user?._id, email:email, "starting the completion of joining group"
+		email = currentUser?.email
+		logger.log subscription_id:subscription_id, user_id:currentUser?._id, email:email, "starting the completion of joining group"
 		SubscriptionGroupHandler.processGroupVerification email, subscription_id, req.query?.token, (err)->
 			if err? and err == "token_not_found"
 				return res.redirect "/user/subscription/#{subscription_id}/group/invited?expired=true"
diff --git a/services/web/app/coffee/Features/User/UserController.coffee b/services/web/app/coffee/Features/User/UserController.coffee
index 37c9cc4eaa..f898b50c63 100644
--- a/services/web/app/coffee/Features/User/UserController.coffee
+++ b/services/web/app/coffee/Features/User/UserController.coffee
@@ -83,9 +83,9 @@ module.exports = UserController =
 
 	logout : (req, res)->
 		metrics.inc "user.logout"
-		logger.log user: req?.session?.user, "logging out"
-		sessionId = req.sessionID
 		user = AuthenticationController.getSessionUser(req)
+		logger.log user: user, "logging out"
+		sessionId = req.sessionID
 		req.logout?()  # passport logout
 		req.session.destroy (err)->
 			if err
diff --git a/services/web/app/coffee/infrastructure/ExpressLocals.coffee b/services/web/app/coffee/infrastructure/ExpressLocals.coffee
index a9228a4c67..dcb19247cc 100644
--- a/services/web/app/coffee/infrastructure/ExpressLocals.coffee
+++ b/services/web/app/coffee/infrastructure/ExpressLocals.coffee
@@ -63,9 +63,10 @@ module.exports = (app, webRouter, apiRouter)->
 	webRouter.use (req, res, next)->
 
 		cdnBlocked = req.query.nocdn == 'true' or req.session.cdnBlocked
+		user_id = AuthenticationController.getLoggedInUserId(req)
 
 		if cdnBlocked and !req.session.cdnBlocked?
-			logger.log user_id:req?.session?.user?._id, ip:req?.ip, "cdnBlocked for user, not using it and turning it off for future requets"
+			logger.log user_id:user_id, ip:req?.ip, "cdnBlocked for user, not using it and turning it off for future requets"
 			req.session.cdnBlocked = true
 
 		isDark = req.headers?.host?.slice(0,4)?.toLowerCase() == "dark"
@@ -132,9 +133,10 @@ module.exports = (app, webRouter, apiRouter)->
 			Settings.siteUrl.substring(Settings.siteUrl.indexOf("//")+2)
 		next()
 
-	webRouter.use (req, res, next)->
+	webRouter.use (req, res, next) ->
 		res.locals.getUserEmail = ->
-			email = req?.session?.user?.email or ""
+			user = AuthenticationController.getSessionUser(req)
+			email = user?.email or ""
 			return email
 		next()