surya/freeplanet_serverside
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- mappa iniziale

Browse Source 
- fix PATCH /chval Json Injections: era possibile cambiare la password !
- ogni giorno sblocca la lista di chi chiede troppe richieste di recupero password.
This commit is contained in:
Surya Paolo
2024-03-21 21:22:57 +01:00
parent 3e0d0bf018
commit bd95e4457f
6 changed files with 77 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
src/server/router/index_router.js
View File

@@ -157,7 +157,7 @@ router.post(process.env.ADD_NEW_SITE, async (req, res) => {
console.log('Add New Site: idapp = ', idapp, 'email=', email, 'name=', name);
const ris = await User.addNewSite(idapp, body);
if (ris) {
res.send(ris);
} else {
@@ -168,7 +168,7 @@ router.post(process.env.ADD_NEW_SITE, async (req, res) => {
console.log(process.env.ADD_NEW_SITE, e.message);
res.status(400).send({ code: server_constants.RIS_CODE_ERR, msg: e });
}
});
@@ -185,8 +185,10 @@ router.post(process.env.LINK_REQUEST_NEWPASSWORD, async (req, res) => {
// Check if too many requests
if (await User.tooManyReqPassword(idapp, email, true)) {
console.log(process.env.LINK_REQUEST_NEWPASSWORD, 'TOO MANY REQUESTS !!! EXIT ', email);
res.status(400).send({ code: server_constants.RIS_CODE_ERR, msg: 'TOO MANY REQUESTS' });
let text = 'Troppe richieste di Password: ' + email;
telegrambot.sendMsgTelegramToTheManagers(idapp, text, true);
console.log(process.env.LINK_REQUEST_NEWPASSWORD, text, email);
res.status(400).send({ code: server_constants.RIS_CODE_ERR, msg: text });
return false;
}
@@ -307,7 +309,7 @@ router.get('/test1', authenticate_noerror, async (req, res) => {
router.post('/settable', authenticate, async (req, res) => {
const params = req.body;
const mytable = globalTables.getTableByTableName(params.table);
let mydata = req.body.data;
let extrarec = {};
if (mydata && mydata.hasOwnProperty('extrarec')) {
@@ -339,7 +341,7 @@ router.post('/settable', authenticate, async (req, res) => {
if ((!User.isAdmin(req.user.perm) && !User.isManager(req.user.perm) &&
!User.isEditor(req.user.perm) && !User.isFacilitatore(req.user.perm)) &&
!tools.ModificheConsentite(params.table, fieldsvalue)) {
!tools.ModificheConsentite(req, params.table, fieldsvalue)) {
// If without permissions, exit
return res.status(404).
send({ code: server_constants.RIS_CODE_ERR_UNAUTHORIZED, msg: '' });
@@ -849,12 +851,16 @@ router.patch('/chval', authenticate, async (req, res) => {
// tools.mylogshow('PATCH CHVAL: ', id, fieldsvalue);
req.user.perm = 0;
// If I change my record...
if (((!User.isAdmin(req.user.perm) && !User.isManager(req.user.perm) &&
!User.isEditor(req.user.perm) && !User.isFacilitatore(req.user.perm)) &&
(req.user._id.toString() !== id) &&
(!tools.ModificheConsentite(mydata.table, fieldsvalue)))
&& !((mydata.table === 'accounts') && await Account.canEditAccountAdmins(req.user.username, mydata.id))
if (((!User.isAdmin(req.user.perm)
&& !User.isManager(req.user.perm)
&& !User.isEditor(req.user.perm)
&& !User.isFacilitatore(req.user.perm))
&& (!tools.ModificheConsentite(req, mydata.table, fieldsvalue, id)))
&& !((mydata.table === 'accounts')
&& await Account.canEditAccountAdmins(req.user.username, mydata.id))
) {
// If without permissions, exit
return res.status(404).
@@ -1036,7 +1042,7 @@ router.patch('/chval', authenticate, async (req, res) => {
}
}
if (tools.ModificheConsentite(mydata.table, fieldsvalue)) {
if (tools.ModificheConsentite(req, mydata.table, fieldsvalue)) {
let msg = '';
if (mydata.table === 'users') {
if ('aportador_solidario' in fieldsvalue) {
@@ -1235,7 +1241,7 @@ router.delete('/delrec/:table/:id', authenticate, async (req, res) => {
if ((!User.isAdmin(req.user.perm) && !User.isManager(req.user.perm)) &&
(tablename !== 'extralist') &&
!tools.ModificheConsentite(tablename, fields, id, req.user)) {
!tools.ModificheConsentite(req, tablename, fields, id, req.user)) {
// If without permissions, exit
return res.status(404).
send({ code: server_constants.RIS_CODE_ERR_UNAUTHORIZED, msg: '' });
@@ -1264,7 +1270,7 @@ router.delete('/delrec/:table/:id', authenticate, async (req, res) => {
if (!cancellato) {
// ELIMINA VERAMENTE IL RECORD !!!
ris = await mytable.deleteOne({_id: id}).then((rec) => {
ris = await mytable.deleteOne({ _id: id }).then((rec) => {
if (!rec) {
// res.status(404).send();
return false;
@@ -1450,7 +1456,7 @@ function load(req, res, version) {
try {
if (req.user)
ismanager = User.isManager(req.user.perm)
} catch(e) {
} catch (e) {
}
let products = Product.findAllIdApp(idapp, undefined, undefined, ismanager);
let productInfos = ProductInfo.findAllIdApp(idapp);
@@ -1824,7 +1830,7 @@ function uploadFile(req, res, version) {
oldpath = file.newFilename;
let fromfile = '.' + server_constants.DIR_UPLOAD + '/' + dir + '/' + oldpath;
let tofile = '.' + server_constants.DIR_UPLOAD + '/' + dir + '/' + file.originalFilename;
let mydircurrent = process.cwd() + '/src/server/router/upload/' + dir;