mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2025-05-12 22:26:08 -04:00
70df29790a
In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
71 lines
1.8 KiB
JavaScript
71 lines
1.8 KiB
JavaScript
'use strict'
|
|
|
|
const Router = require('express').Router
|
|
|
|
const response = require('../response')
|
|
const config = require('../config')
|
|
const models = require('../models')
|
|
const logger = require('../logger')
|
|
const {generateAvatar} = require('../letter-avatars')
|
|
|
|
const UserRouter = module.exports = Router()
|
|
|
|
// get me info
|
|
UserRouter.get('/me', function (req, res) {
|
|
if (req.isAuthenticated()) {
|
|
models.User.findOne({
|
|
where: {
|
|
id: req.user.id
|
|
}
|
|
}).then(function (user) {
|
|
if (!user) { return response.errorNotFound(res) }
|
|
var profile = models.User.getProfile(user)
|
|
res.send({
|
|
status: 'ok',
|
|
id: req.user.id,
|
|
name: profile.name,
|
|
photo: profile.photo
|
|
})
|
|
}).catch(function (err) {
|
|
logger.error('read me failed: ' + err)
|
|
return response.errorInternalError(res)
|
|
})
|
|
} else {
|
|
res.send({
|
|
status: 'forbidden'
|
|
})
|
|
}
|
|
})
|
|
|
|
// delete the currently authenticated user
|
|
UserRouter.get('/me/delete/:token?', function (req, res) {
|
|
if (req.isAuthenticated()) {
|
|
models.User.findOne({
|
|
where: {
|
|
id: req.user.id
|
|
}
|
|
}).then(function (user) {
|
|
if (!user) {
|
|
return response.errorNotFound(res)
|
|
}
|
|
if (user.deleteToken === req.params.token) {
|
|
user.destroy().then(function () {
|
|
res.redirect(config.serverURL + '/')
|
|
})
|
|
} else {
|
|
return response.errorForbidden(res)
|
|
}
|
|
}).catch(function (err) {
|
|
logger.error('delete user failed: ' + err)
|
|
return response.errorInternalError(res)
|
|
})
|
|
} else {
|
|
return response.errorForbidden(res)
|
|
}
|
|
})
|
|
|
|
UserRouter.get('/user/:username/avatar.svg', function (req, res, next) {
|
|
res.setHeader('Content-Type', 'image/svg+xml')
|
|
res.setHeader('Cache-Control', 'public, max-age=86400')
|
|
res.send(generateAvatar(req.params.username))
|
|
})
|