wipe out more session access

This commit is contained in:
Shane Kilkelly 2016-09-22 15:33:50 +01:00
parent ff1c72ee14
commit a0f156e1a9
5 changed files with 21 additions and 17 deletions

View file

@ -1,5 +1,6 @@
Errors = require "./Errors"
logger = require "logger-sharelatex"
AuthenticationController = require '../Authentication/AuthenticationController'
module.exports = ErrorController =
notFound: (req, res)->
@ -13,13 +14,14 @@ module.exports = ErrorController =
title: "Server Error"
handleError: (error, req, res, next) ->
user = AuthenticationController.getSessionUser(req)
if error?.code is 'EBADCSRFTOKEN'
logger.warn err: error,url:req.url, method:req.method, user:req?.sesson?.user, "invalid csrf"
logger.warn err: error,url:req.url, method:req.method, user:user, "invalid csrf"
res.sendStatus(403)
return
if error instanceof Errors.NotFoundError
logger.warn {err: error, url: req.url}, "not found error"
ErrorController.notFound req, res
else
logger.error err: error, url:req.url, method:req.method, user:req?.sesson?.user, "error passed to top level next middlewear"
logger.error err: error, url:req.url, method:req.method, user:user, "error passed to top level next middlewear"
ErrorController.serverError req, res

View file

@ -9,6 +9,7 @@ Settings = require("settings-sharelatex")
contentful = require('contentful')
marked = require("marked")
sixpack = require("../../infrastructure/Sixpack")
AuthenticationController = require '../Authentication/AuthenticationController'
@ -36,7 +37,8 @@ module.exports = UniversityController =
getIndexPage: (req, res)->
client = sixpack.client(req?.session?.user?._id?.toString() || req.ip)
user = AuthenticationController.getSessionUser(req)
client = sixpack.client(user?._id?.toString() || req.ip)
client.participate 'instapage-pages', ['default', 'instapage'], (err, response)->
if response?.alternative?.name == "instapage"
return res.redirect("/i/university")
@ -70,6 +72,3 @@ module.exports = UniversityController =
viewData = entry.items[0].fields
viewData.html = marked(viewData.content)
res.render "university/case_study", viewData:viewData

View file

@ -92,11 +92,12 @@ module.exports =
res.sendStatus 200
completeJoin: (req, res)->
currentUser = AuthenticationController.getSessionUser(req)
subscription_id = req.params.subscription_id
if !SubscriptionDomainHandler.findDomainLicenceBySubscriptionId(subscription_id)?
return ErrorsController.notFound(req, res)
email = req?.session?.user?.email
logger.log subscription_id:subscription_id, user_id:req?.session?.user?._id, email:email, "starting the completion of joining group"
email = currentUser?.email
logger.log subscription_id:subscription_id, user_id:currentUser?._id, email:email, "starting the completion of joining group"
SubscriptionGroupHandler.processGroupVerification email, subscription_id, req.query?.token, (err)->
if err? and err == "token_not_found"
return res.redirect "/user/subscription/#{subscription_id}/group/invited?expired=true"

View file

@ -83,9 +83,9 @@ module.exports = UserController =
logout : (req, res)->
metrics.inc "user.logout"
logger.log user: req?.session?.user, "logging out"
sessionId = req.sessionID
user = AuthenticationController.getSessionUser(req)
logger.log user: user, "logging out"
sessionId = req.sessionID
req.logout?() # passport logout
req.session.destroy (err)->
if err

View file

@ -63,9 +63,10 @@ module.exports = (app, webRouter, apiRouter)->
webRouter.use (req, res, next)->
cdnBlocked = req.query.nocdn == 'true' or req.session.cdnBlocked
user_id = AuthenticationController.getLoggedInUserId(req)
if cdnBlocked and !req.session.cdnBlocked?
logger.log user_id:req?.session?.user?._id, ip:req?.ip, "cdnBlocked for user, not using it and turning it off for future requets"
logger.log user_id:user_id, ip:req?.ip, "cdnBlocked for user, not using it and turning it off for future requets"
req.session.cdnBlocked = true
isDark = req.headers?.host?.slice(0,4)?.toLowerCase() == "dark"
@ -134,7 +135,8 @@ module.exports = (app, webRouter, apiRouter)->
webRouter.use (req, res, next) ->
res.locals.getUserEmail = ->
email = req?.session?.user?.email or ""
user = AuthenticationController.getSessionUser(req)
email = user?.email or ""
return email
next()