fix sensitive data modify

90a80e72 · nanahira · 5799ae7c · 90a80e72 · 90a80e72
Commit 90a80e72 authored Sep 26, 2021 by nanahira
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 3 deletions

src/controllers/user.ts src/controllers/user.ts +16 -2

src/routes.ts src/routes.ts +3 -1

No files found.
--- a/src/controllers/user.ts
+++ b/src/controllers/user.ts
@@ -56,10 +56,16 @@ export const UpdateProfiles = async (ctx: Context) => {
        ctx.throw(400);
    }

-    if (user.username && process.env.NO_CHANGE_USERNAME) {
+    const targetUser = ctx.request.body;
+
+    if (targetUser.username && process.env.NO_CHANGE_USERNAME) {
        ctx.throw("Changing username is currently not allowed.", 400);
    }

+    if (user.id != targetUser.id || targetUser.admin != null || targetUser.active != null || targetUser.registration_ip_address || targetUser.ip_address) {
+        ctx.throw("Cannot change sensitive data.", 400);
+    }
+
    const userRep = getEntityManager().getRepository(User);

    let _user: User | undefined = await userRep
@@ -73,7 +79,7 @@ export const UpdateProfiles = async (ctx: Context) => {
    }


-    Object.assign(_user, ctx.request.body);
+    Object.assign(_user, targetUser);


    await getEntityManager().save(_user);
@@ -215,3 +221,11 @@ export const getUserAvatar = async (ctx: Context) => {
    }
    ctx.body = user.avatarURL()
 };
+
+export const allowChangeUsername = async (ctx: Context) => {
+    ctx.status = 200;
+    const envData = process.env.NO_CHANGE_USERNAME;
+    ctx.body = {
+        allow: !envData, reason: envData
+    }
+};
--- a/src/routes.ts
+++ b/src/routes.ts
@@ -23,5 +23,7 @@ router.get('/users/:username.json', user.legacyYGOProAuth);
 router.get('/users/:username.png', user.legacyYGOProAvatar);
 router.get('/users/:username.avatar', user.getUserAvatar);

+router.get('/allowChangeUsername', user.allowChangeUsername)

-export default router;
\ No newline at end of file
+
+export default router;