agw/overleaf-cep
1
0
Fork 0
mirror of https://github.com/yu-i-i/overleaf-cep.git synced 2026-06-05 15:19:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2742 from overleaf/jpa-hotfix-user-lookup

Browse Source 
[UserPagesController] block arbitrary user lookups

GitOrigin-RevId: 4d88abbd0ad14289a73e7f502c0686f206617459
This commit is contained in:
Jakob Ackermann
2020-04-13 15:18:50 +02:00
committed by Copybot
parent 0586f4d682
commit 825d0701e8
2 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
services/web/app/src/Features/User/UserPagesController.js
+4
View File
@@ -34,6 +34,10 @@ const UserPagesController = {
return ErrorController.notFound(req, res)
}
if (typeof req.query.user_id !== 'string') {
return ErrorController.forbidden(req, res)
}
UserGetter.getUser(
req.query.user_id,
{ email: 1, loginCount: 1 },
services/web/test/unit/src/User/UserPagesControllerTests.js
+6
View File
@@ -318,6 +318,12 @@ describe('UserPagesController', function() {
return this.UserPagesController.activateAccountPage(this.req, this.res)
})
it('should 403 for complex user_id', function(done) {
this.ErrorController.forbidden = () => done()
this.req.query.user_id = { first_name: 'X' }
return this.UserPagesController.activateAccountPage(this.req, this.res)
})
it('should redirect activated users to login', function(done) {
this.user.loginCount = 1
this.res.redirect = url => {