mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-13 06:34:39 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add config option which requires authentication in FreeURL mode

Browse source 
This mitigates unintended note creation by bots or humans through a
simple GET call.

See discussion in #754.

Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
This commit is contained in:
Nicolas Dietrich 2021-01-22 16:47:47 +01:00
parent 3331c0947c
commit 497569fee4
5 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
lib/web/note/util.js
View file

@ -52,7 +52,7 @@ exports.newNote = function (req, res, body) {
return errors.errorForbidden(res)
}
if (noteId) {
if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId)) {
if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId) && (!config.requireFreeURLAuthentication || req.isAuthenticated())) {
req.alias = noteId
} else {
return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res)