From 95467dc0412f08a8bbb74b5e43e2abf310d4627e Mon Sep 17 00:00:00 2001 From: Evert Date: Wed, 30 Aug 2017 15:23:45 +0300 Subject: [PATCH] some stuff again --- documents/terms-of-service.html | 2 + server/api/admin.js | 3 -- server/api/news.js | 1 - server/routes/admin.js | 7 ++- server/routes/api.js | 10 +++- server/routes/index.js | 89 ++++++++++++++++----------------- views/admin/index.pug | 2 +- views/news/composer.pug | 6 +-- views/news/news.pug | 2 +- 9 files changed, 62 insertions(+), 60 deletions(-) diff --git a/documents/terms-of-service.html b/documents/terms-of-service.html index 2aba74a..5878d56 100644 --- a/documents/terms-of-service.html +++ b/documents/terms-of-service.html @@ -4,6 +4,8 @@

Separate entities owned by Icy Network may have their own Terms and Conditions which you must read and comply with.

Who May Use the Services

You may use our Services only if you have not been previously unauthorized of doing so and that you are above the legal age of 13. Our Services may contain inappropriate language or images not suitable for minors.

+

Email Address

+

When signing up for an Account, you must provide a valid Email Address. If you use disposable/one-time email addresses, your Account may be subject to deletion.

Privacy

Icy Network requires you to sign up for an account or log in using another external website. Please read our Privacy Policies before entering any information into our Services to understand what information we may collect and what it's used for.

Content on the Services

diff --git a/server/api/admin.js b/server/api/admin.js index 4975d2b..9c36766 100644 --- a/server/api/admin.js +++ b/server/api/admin.js @@ -115,8 +115,6 @@ const API = { return cleanClientObject(raw[0]) }, updateClient: async function (id, data) { - if (isNaN(id)) return {error: 'Invalid client ID'} - let fields = [ 'title', 'description', 'url', 'redirect_url', 'scope' ] @@ -207,7 +205,6 @@ const API = { } }, removeBan: async function (banId) { - if (isNaN(banId)) return {error: 'Invalid number'} return Models.Ban.query().delete().where('id', banId) }, addBan: async function (data, adminId) { diff --git a/server/api/news.js b/server/api/news.js index eb81e1f..99db55c 100644 --- a/server/api/news.js +++ b/server/api/news.js @@ -94,7 +94,6 @@ const News = { return result }, edit: async (id, body) => { - if (!body.content) return {error: 'Content required'} let patch = { content: body.content, updated_at: new Date() diff --git a/server/routes/admin.js b/server/routes/admin.js index 812e8b5..e572067 100644 --- a/server/routes/admin.js +++ b/server/routes/admin.js @@ -140,12 +140,15 @@ apiRouter.post('/client/new', wrap(async (req, res) => { })) apiRouter.post('/client/update', wrap(async (req, res) => { - if (!req.body.id) return res.status(400).jsonp({error: 'ID missing'}) + let id = parseInt(req.body.id) + + if (!id || isNaN(id)) return res.status(400).jsonp({error: 'ID missing'}) + if (req.body.csrf !== req.session.csrf) { return res.status(400).jsonp({error: 'Invalid session'}) } - let update = await API.updateClient(parseInt(req.body.id), req.body) + let update = await API.updateClient(id, req.body) if (update.error) { return res.status(400).jsonp({error: update.error}) } diff --git a/server/routes/api.js b/server/routes/api.js index 183421f..66534af 100644 --- a/server/routes/api.js +++ b/server/routes/api.js @@ -289,12 +289,18 @@ router.get('/news/all/', (req, res) => { }) router.post('/news/edit/:id', wrap(async (req, res, next) => { + let id = parseInt(req.params.id) + if (!req.session.user || req.session.user.privilege < 1) return next() - if (!req.params.id || isNaN(parseInt(req.params.id))) { + + if (!id || isNaN(id)) { return res.status(400).jsonp({error: 'Invalid ID number.'}) } - let id = parseInt(req.params.id) + if (!req.body.content) { + return res.status(400).jsonp({error: 'Content is required.'}) + } + let result = await News.edit(id, req.body) if (result.error) { return res.status(400).jsonp({error: result.error}) diff --git a/server/routes/index.js b/server/routes/index.js index a7bc558..0f9cc35 100644 --- a/server/routes/index.js +++ b/server/routes/index.js @@ -36,6 +36,18 @@ function setSession (req, user) { } } +function redirectLogin (req, res) { + let uri = '/' + if (req.session.redirectUri) { + uri = req.session.redirectUri + delete req.session.redirectUri + } else if (req.query.redirect) { + uri = req.query.redirect + } + + res.redirect(uri) +} + router.use(wrap(async (req, res, next) => { // Add form messages into the template rendering if present let messages = req.flash('message') @@ -104,6 +116,19 @@ function extraButtons (req, res, next) { next() } +// Retrieve form data if formError was called +function formKeep (req, res, next) { + let dataSave = req.flash('formkeep') + if (dataSave.length) { + dataSave = dataSave[0] + } else { + dataSave = {} + } + + res.locals.formkeep = dataSave + next() +} + // Make sure the user is logged in // Redirect to login page and store the current path in the session for redirecting later function ensureLogin (req, res, next) { @@ -113,30 +138,13 @@ function ensureLogin (req, res, next) { } router.get('/login', extraButtons, (req, res) => { - if (req.session.user) { - let uri = '/' - if (req.session.redirectUri) { - uri = req.session.redirectUri - delete req.session.redirectUri - } - - return res.redirect(uri) - } + if (req.session.user) return redirectLogin(req, res) res.render('user/login') }) -router.get('/register', extraButtons, (req, res) => { - if (req.session.user) return res.redirect('/') - - let dataSave = req.flash('formkeep') - if (dataSave.length) { - dataSave = dataSave[0] - } else { - dataSave = {} - } - - res.locals.formkeep = dataSave +router.get('/register', extraButtons, formKeep, (req, res) => { + if (req.session.user) return redirectLogin(req, res) if (config.security.recaptcha && config.security.recaptcha.site_key) { res.locals.recaptcha = config.security.recaptcha.site_key @@ -316,31 +324,12 @@ router.post('/login/verify', wrap(async (req, res, next) => { let user = await API.User.get(req.session.totp_check) delete req.session.totp_check - // Set session - req.session.user = { - id: user.id, - username: user.username, - display_name: user.display_name, - email: user.email, - avatar_file: user.avatar_file, - session_refresh: Date.now() + 1800000 // 30 minutes - } - - let uri = '/' - if (req.session.redirectUri) { - uri = req.session.redirectUri - delete req.session.redirectUri - } - - if (req.query.redirect) { - uri = req.query.redirect - } - - res.redirect(uri) + setSession(req, user) + redirectLogin(req, res) })) -// Log the user in -router.post('/login', wrap(async (req, res, next) => { +// Log the user in. Limited resource +router.post('/login', accountLimiter, wrap(async (req, res, next) => { if (req.session.user) return next() if (!req.body.username || !req.body.password || req.body.username === '') { return res.redirect('/login') @@ -401,6 +390,12 @@ router.post('/register', accountLimiter, wrap(async (req, res, next) => { return formError(req, res, 'Invalid session! Try reloading the page.') } + // Ban check + let banStatus = await API.User.getBanStatus(req.realIP, true) + if (banStatus.length) { + return res.render('user/banned', {bans: banStatus, ipban: true}) + } + // 1st Check: Username Characters and length let username = req.body.username if (!username || !username.match(/^([\w-_]{3,26})$/i)) { @@ -470,7 +465,7 @@ router.post('/register', accountLimiter, wrap(async (req, res, next) => { // Do not include activation link message when the user is already activated let registerMessage = 'Account created successfully!' if (newUser.user && newUser.user.activated !== 1) { - registerMessage += ' Please check your email for an activation link.' + registerMessage += ' Please check your inbox for an activation link. Also, make sure to look into spam folders.' } req.flash('message', {error: false, text: registerMessage}) @@ -655,17 +650,17 @@ router.get('/docs/:name', (req, res, next) => { ======== */ -function privileged (req, res, next) { +function newsPrivilege (req, res, next) { if (!req.session.user) return res.redirect('/news') if (req.session.user.privilege < 1) return res.redirect('/news') next() } -router.get('/news/writer', privileged, wrap(async (req, res) => { +router.get('/news/compose', newsPrivilege, formKeep, wrap(async (req, res) => { res.render('news/composer') })) -router.post('/news/writer', privileged, wrap(async (req, res) => { +router.post('/news/compose', newsPrivilege, wrap(async (req, res) => { if (req.body.csrf !== req.session.csrf) { return formError(req, res, 'Invalid session! Try reloading the page.') } diff --git a/views/admin/index.pug b/views/admin/index.pug index 771c86c..885ff86 100644 --- a/views/admin/index.pug +++ b/views/admin/index.pug @@ -32,7 +32,7 @@ block body
{{display_name}}
{{id}} - {{username}}
{{email}}
-
Privilege: {{nw_privilege}} points
+
Privilege: level {{nw_privilege}}
{{created_at}}
{{^password}}
Used external login
diff --git a/views/news/composer.pug b/views/news/composer.pug index a655419..cbd0059 100644 --- a/views/news/composer.pug +++ b/views/news/composer.pug @@ -19,11 +19,11 @@ block body form(action="", method="post") input(type="hidden", name="csrf", value=csrf) label(for="title") Title - input(type="text", name="title", id="title") + input(type="text", name="title", id="title", value=formkeep.title) label(for="composer1") Content - textarea(name="content" id="composer1") + textarea(name="content" id="composer1") #{formkeep.content} label(for="tags") Tags - input(type="text", name="tags", id="tags") + input(type="text", name="tags", id="tags", value=formkeep.tags) input(type="submit", value="Submit") script. CKEDITOR.replace('composer1') diff --git a/views/news/news.pug b/views/news/news.pug index b7876d7..f099aab 100644 --- a/views/news/news.pug +++ b/views/news/news.pug @@ -7,7 +7,7 @@ block body .document .content if user && user.privilege && user.privilege > 0 - a.button(style="float: right;" href="/news/writer") New Article + a.button(style="float: right;" href="/news/compose") New Article h1 Icy Network News Archive if news.error span.error There are no articles to show.