wipe out more session access

2024-11-07 20:31:06 -05:00 · 2016-09-22 15:33:50 +01:00 · 2016-09-22 15:33:50 +01:00 · a0f156e1a9
commit a0f156e1a9
parent ff1c72ee14
5 changed files with 21 additions and 17 deletions
--- a/services/web/app/coffee/Features/Errors/ErrorController.coffee
+++ b/services/web/app/coffee/Features/Errors/ErrorController.coffee
@ -1,5 +1,6 @@
 Errors = require "./Errors"
 logger = require "logger-sharelatex"
+AuthenticationController = require '../Authentication/AuthenticationController'

 module.exports = ErrorController =
 	notFound: (req, res)->
@ -11,15 +12,16 @@ module.exports = ErrorController =
 		res.status(500)
 		res.render 'general/500',
 			title: "Server Error"
-	
+
 	handleError: (error, req, res, next) ->
+		user = AuthenticationController.getSessionUser(req)
 		if error?.code is 'EBADCSRFTOKEN'
-			logger.warn err: error,url:req.url, method:req.method, user:req?.sesson?.user, "invalid csrf"
+			logger.warn err: error,url:req.url, method:req.method, user:user, "invalid csrf"
 			res.sendStatus(403)
 			return
 		if error instanceof Errors.NotFoundError
 			logger.warn {err: error, url: req.url}, "not found error"
 			ErrorController.notFound req, res
 		else
-			logger.error err: error, url:req.url, method:req.method, user:req?.sesson?.user, "error passed to top level next middlewear"
-			ErrorController.serverError req, res
+			logger.error err: error, url:req.url, method:req.method, user:user, "error passed to top level next middlewear"
+			ErrorController.serverError req, res
--- a/services/web/app/coffee/Features/StaticPages/UniversityController.coffee
+++ b/services/web/app/coffee/Features/StaticPages/UniversityController.coffee
@ -9,15 +9,16 @@ Settings = require("settings-sharelatex")
 contentful = require('contentful')
 marked = require("marked")
 sixpack = require("../../infrastructure/Sixpack")
+AuthenticationController = require '../Authentication/AuthenticationController'



-module.exports = UniversityController = 
+module.exports = UniversityController =

 	getPage: (req, res, next)->
 		url = req.url?.toLowerCase()
 		universityUrl = "#{settings.apis.university.url}#{url}"
-		if StaticPageHelpers.shouldProxy(url) 
+		if StaticPageHelpers.shouldProxy(url)
 			return UniversityController._directProxy universityUrl, res

 		logger.log url:url, "proxying request to university api"
@ -36,7 +37,8 @@ module.exports = UniversityController =


 	getIndexPage: (req, res)->
-		client = sixpack.client(req?.session?.user?._id?.toString() || req.ip)
+		user = AuthenticationController.getSessionUser(req)
+		client = sixpack.client(user?._id?.toString() || req.ip)
 		client.participate 'instapage-pages', ['default', 'instapage'], (err, response)->
 			if response?.alternative?.name == "instapage"
 				return res.redirect("/i/university")
@ -70,6 +72,3 @@ module.exports = UniversityController =
 				viewData = entry.items[0].fields
 				viewData.html = marked(viewData.content)
 				res.render "university/case_study", viewData:viewData
-
-
-
--- a/services/web/app/coffee/Features/Subscription/SubscriptionGroupController.coffee
+++ b/services/web/app/coffee/Features/Subscription/SubscriptionGroupController.coffee
@ -92,11 +92,12 @@ module.exports =
 				res.sendStatus 200

 	completeJoin: (req, res)->
+		currentUser = AuthenticationController.getSessionUser(req)
 		subscription_id = req.params.subscription_id
 		if !SubscriptionDomainHandler.findDomainLicenceBySubscriptionId(subscription_id)?
 			return ErrorsController.notFound(req, res)
-		email = req?.session?.user?.email
-		logger.log subscription_id:subscription_id, user_id:req?.session?.user?._id, email:email, "starting the completion of joining group"
+		email = currentUser?.email
+		logger.log subscription_id:subscription_id, user_id:currentUser?._id, email:email, "starting the completion of joining group"
 		SubscriptionGroupHandler.processGroupVerification email, subscription_id, req.query?.token, (err)->
 			if err? and err == "token_not_found"
 				return res.redirect "/user/subscription/#{subscription_id}/group/invited?expired=true"
--- a/services/web/app/coffee/Features/User/UserController.coffee
+++ b/services/web/app/coffee/Features/User/UserController.coffee
@ -83,9 +83,9 @@ module.exports = UserController =

 	logout : (req, res)->
 		metrics.inc "user.logout"
-		logger.log user: req?.session?.user, "logging out"
-		sessionId = req.sessionID
 		user = AuthenticationController.getSessionUser(req)
+		logger.log user: user, "logging out"
+		sessionId = req.sessionID
 		req.logout?()  # passport logout
 		req.session.destroy (err)->
 			if err
--- a/services/web/app/coffee/infrastructure/ExpressLocals.coffee
+++ b/services/web/app/coffee/infrastructure/ExpressLocals.coffee
@ -63,9 +63,10 @@ module.exports = (app, webRouter, apiRouter)->
 	webRouter.use (req, res, next)->

 		cdnBlocked = req.query.nocdn == 'true' or req.session.cdnBlocked
+		user_id = AuthenticationController.getLoggedInUserId(req)

 		if cdnBlocked and !req.session.cdnBlocked?
-			logger.log user_id:req?.session?.user?._id, ip:req?.ip, "cdnBlocked for user, not using it and turning it off for future requets"
+			logger.log user_id:user_id, ip:req?.ip, "cdnBlocked for user, not using it and turning it off for future requets"
 			req.session.cdnBlocked = true

 		isDark = req.headers?.host?.slice(0,4)?.toLowerCase() == "dark"
@ -132,9 +133,10 @@ module.exports = (app, webRouter, apiRouter)->
 			Settings.siteUrl.substring(Settings.siteUrl.indexOf("//")+2)
 		next()

-	webRouter.use (req, res, next)->
+	webRouter.use (req, res, next) ->
 		res.locals.getUserEmail = ->
-			email = req?.session?.user?.email or ""
+			user = AuthenticationController.getSessionUser(req)
+			email = user?.email or ""
 			return email
 		next()