Adding config bool for userhall image upload
This commit is contained in:
@@ -50,6 +50,12 @@ export const handleHallImageUpload = async (req, res) => {
|
||||
return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
|
||||
}
|
||||
|
||||
// CSRF check
|
||||
const token = req.headers['x-csrf-token'] || req.url?.qs?.csrf_token;
|
||||
if (!token || token !== session.csrf_token) {
|
||||
return sendJson(res, { success: false, msg: 'Invalid CSRF token' }, 403);
|
||||
}
|
||||
|
||||
const hallSlug = req.params && req.params.slug;
|
||||
if (!hallSlug) return sendJson(res, { success: false, msg: 'Missing hall slug' }, 400);
|
||||
|
||||
@@ -118,9 +124,9 @@ export const handleHallImageUpload = async (req, res) => {
|
||||
// DELETE /api/v2/admin/halls/:slug/image — remove custom image
|
||||
export const handleHallImageDelete = async (req, res) => {
|
||||
const session = await lookupSession(req);
|
||||
if (!session || (!session.admin && !session.is_moderator)) {
|
||||
return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
|
||||
}
|
||||
if (!session || (!session.admin && !session.is_moderator)) return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
|
||||
const token = req.headers['x-csrf-token'] || req.url?.qs?.csrf_token;
|
||||
if (!token || token !== session.csrf_token) return sendJson(res, { success: false, msg: 'Invalid CSRF token' }, 403);
|
||||
|
||||
const hallSlug = req.params && req.params.slug;
|
||||
if (!hallSlug) return sendJson(res, { success: false, msg: 'Missing hall slug' }, 400);
|
||||
@@ -156,9 +162,9 @@ export const handleHallImageDelete = async (req, res) => {
|
||||
// DELETE /api/v2/admin/halls/:slug — delete a hall entirely
|
||||
export const handleHallDelete = async (req, res) => {
|
||||
const session = await lookupSession(req);
|
||||
if (!session || (!session.admin && !session.is_moderator)) {
|
||||
return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
|
||||
}
|
||||
if (!session || (!session.admin && !session.is_moderator)) return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
|
||||
const token = req.headers['x-csrf-token'] || req.url?.qs?.csrf_token;
|
||||
if (!token || token !== session.csrf_token) return sendJson(res, { success: false, msg: 'Invalid CSRF token' }, 403);
|
||||
|
||||
const hallSlug = req.params && req.params.slug;
|
||||
if (!hallSlug) return sendJson(res, { success: false, msg: 'Missing hall slug' }, 400);
|
||||
@@ -176,9 +182,9 @@ export const handleHallDelete = async (req, res) => {
|
||||
// PATCH /api/v2/admin/halls/:slug — update name/description/slug
|
||||
export const handleHallUpdate = async (req, res) => {
|
||||
const session = await lookupSession(req);
|
||||
if (!session || (!session.admin && !session.is_moderator)) {
|
||||
return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
|
||||
}
|
||||
if (!session || (!session.admin && !session.is_moderator)) return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
|
||||
const token = req.headers['x-csrf-token'] || req.url?.qs?.csrf_token;
|
||||
if (!token || token !== session.csrf_token) return sendJson(res, { success: false, msg: 'Invalid CSRF token' }, 403);
|
||||
|
||||
const hallSlug = req.params && req.params.slug;
|
||||
if (!hallSlug) return sendJson(res, { success: false, msg: 'Missing slug' }, 400);
|
||||
@@ -263,9 +269,10 @@ export const handleHallUpdate = async (req, res) => {
|
||||
|
||||
// POST /api/v2/admin/halls — create a new hall
|
||||
export const handleHallCreate = async (req, res) => {
|
||||
const session = await lookupSession(req);
|
||||
if (!session || (!session.admin && !session.is_moderator)) {
|
||||
return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
|
||||
// CSRF check
|
||||
const token = req.headers['x-csrf-token'] || req.url?.qs?.csrf_token;
|
||||
if (!token || token !== session.csrf_token) {
|
||||
return sendJson(res, { success: false, msg: 'Invalid CSRF token' }, 403);
|
||||
}
|
||||
|
||||
let body = {};
|
||||
|
||||
@@ -443,7 +443,7 @@ process.on('uncaughtException', err => {
|
||||
// Hall manager routes are handled by bypass middleware with their own session auth
|
||||
if (cfg.websrv.halls_enabled !== false && req.url.pathname.match(/^\/api\/v2\/admin\/halls(\/|$)/)) return;
|
||||
// User hall image upload is handled by bypass middleware below
|
||||
if (cfg.websrv.userhalls_enabled !== false && req.url.pathname.match(/^\/api\/v2\/me\/halls\/[^/]+\/image$/)) return;
|
||||
if (cfg.websrv.userhalls_enabled !== false && cfg.websrv.enable_userhall_image_upload !== false && req.url.pathname.match(/^\/api\/v2\/me\/halls\/[^/]+\/image$/)) return;
|
||||
if (!validateCsrf(req, res)) return;
|
||||
});
|
||||
|
||||
@@ -544,7 +544,7 @@ process.on('uncaughtException', err => {
|
||||
|
||||
// Bypass middleware for user hall image uploads (multipart — raw body needed)
|
||||
app.use(async (req, res) => {
|
||||
if (cfg.websrv.userhalls_enabled === false) return;
|
||||
if (cfg.websrv.userhalls_enabled === false || cfg.websrv.enable_userhall_image_upload === false) return;
|
||||
const userHallImgMatch = req.url.pathname.match(/^\/api\/v2\/me\/halls\/([^/]+)\/image$/);
|
||||
if (userHallImgMatch && req.method === 'POST') {
|
||||
console.error('[BOOT] [USER_HALL BYPASS] Image upload:', req.url.pathname);
|
||||
@@ -733,6 +733,7 @@ process.on('uncaughtException', err => {
|
||||
get halls() { return getHalls(); },
|
||||
halls_enabled: cfg.websrv.halls_enabled !== false,
|
||||
userhalls_enabled: cfg.websrv.userhalls_enabled !== false,
|
||||
enable_userhall_image_upload: cfg.websrv.enable_userhall_image_upload !== false,
|
||||
abyss_enabled: cfg.websrv.abyss_enabled !== false,
|
||||
smtp_enabled: !!(cfg.smtp && cfg.smtp.enabled && cfg.smtp.mail_reset_password),
|
||||
show_background_cfg: cfg.websrv.background !== false,
|
||||
|
||||
@@ -48,7 +48,7 @@ export const handleUserHallImageUpload = async (req, res, slug) => {
|
||||
if (!session) return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
|
||||
|
||||
// CSRF check
|
||||
const token = req.headers['x-csrf-token'];
|
||||
const token = req.headers['x-csrf-token'] || req.url?.qs?.csrf_token;
|
||||
if (!token || token !== session.csrf_token) {
|
||||
return sendJson(res, { success: false, msg: 'Invalid CSRF token' }, 403);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user