Adding config bool for userhall image upload

This commit is contained in:
2026-05-11 05:59:37 +02:00
parent 1f4cbfcec7
commit 9d4d3fbdcb
7 changed files with 101 additions and 60 deletions

View File

@@ -50,6 +50,12 @@ export const handleHallImageUpload = async (req, res) => {
return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
}
// CSRF check
const token = req.headers['x-csrf-token'] || req.url?.qs?.csrf_token;
if (!token || token !== session.csrf_token) {
return sendJson(res, { success: false, msg: 'Invalid CSRF token' }, 403);
}
const hallSlug = req.params && req.params.slug;
if (!hallSlug) return sendJson(res, { success: false, msg: 'Missing hall slug' }, 400);
@@ -118,9 +124,9 @@ export const handleHallImageUpload = async (req, res) => {
// DELETE /api/v2/admin/halls/:slug/image — remove custom image
export const handleHallImageDelete = async (req, res) => {
const session = await lookupSession(req);
if (!session || (!session.admin && !session.is_moderator)) {
return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
}
if (!session || (!session.admin && !session.is_moderator)) return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
const token = req.headers['x-csrf-token'] || req.url?.qs?.csrf_token;
if (!token || token !== session.csrf_token) return sendJson(res, { success: false, msg: 'Invalid CSRF token' }, 403);
const hallSlug = req.params && req.params.slug;
if (!hallSlug) return sendJson(res, { success: false, msg: 'Missing hall slug' }, 400);
@@ -156,9 +162,9 @@ export const handleHallImageDelete = async (req, res) => {
// DELETE /api/v2/admin/halls/:slug — delete a hall entirely
export const handleHallDelete = async (req, res) => {
const session = await lookupSession(req);
if (!session || (!session.admin && !session.is_moderator)) {
return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
}
if (!session || (!session.admin && !session.is_moderator)) return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
const token = req.headers['x-csrf-token'] || req.url?.qs?.csrf_token;
if (!token || token !== session.csrf_token) return sendJson(res, { success: false, msg: 'Invalid CSRF token' }, 403);
const hallSlug = req.params && req.params.slug;
if (!hallSlug) return sendJson(res, { success: false, msg: 'Missing hall slug' }, 400);
@@ -176,9 +182,9 @@ export const handleHallDelete = async (req, res) => {
// PATCH /api/v2/admin/halls/:slug — update name/description/slug
export const handleHallUpdate = async (req, res) => {
const session = await lookupSession(req);
if (!session || (!session.admin && !session.is_moderator)) {
return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
}
if (!session || (!session.admin && !session.is_moderator)) return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
const token = req.headers['x-csrf-token'] || req.url?.qs?.csrf_token;
if (!token || token !== session.csrf_token) return sendJson(res, { success: false, msg: 'Invalid CSRF token' }, 403);
const hallSlug = req.params && req.params.slug;
if (!hallSlug) return sendJson(res, { success: false, msg: 'Missing slug' }, 400);
@@ -263,9 +269,10 @@ export const handleHallUpdate = async (req, res) => {
// POST /api/v2/admin/halls — create a new hall
export const handleHallCreate = async (req, res) => {
const session = await lookupSession(req);
if (!session || (!session.admin && !session.is_moderator)) {
return sendJson(res, { success: false, msg: 'Unauthorized' }, 403);
// CSRF check
const token = req.headers['x-csrf-token'] || req.url?.qs?.csrf_token;
if (!token || token !== session.csrf_token) {
return sendJson(res, { success: false, msg: 'Invalid CSRF token' }, 403);
}
let body = {};