Fix unauthenticated file uploads

This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.

It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2020-11-23 12:50:39 +01:00 committed by David Mehren
parent dc29a286e6
commit d097211c54
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3

View file

@ -23,6 +23,9 @@ imageRouter.post('/uploadimage', function (req, res) {
if (err) {
logger.error(`formidable error: ${err}`)
return errors.errorForbidden(res)
} else if (!req.isAuthenticated() && !config.allowAnonymous && !config.allowAnonymousEdits) {
logger.error(`formidable error: Anonymous edits and therefore uploads are not allowed)`)
return errors.errorForbidden(res)
} else if (!files.image || !files.image.path) {
logger.error(`formidable error: Upload didn't contain file)`)
return errors.errorBadRequest(res)