- mappa iniziale

- fix PATCH /chval Json Injections: era possibile cambiare la password !
- ogni giorno sblocca la lista di chi chiede troppe richieste di recupero password.

src/server/models/user.js

@@ -133,6 +133,9 @@ const UserSchema = new mongoose.Schema({
   ipaddr: {
     type: String,
   },
+  banIp: {
+    type: Boolean,
+  },
   date_reg: {
     type: Date,
   },

src/server/router/index_router.js

@@ -185,8 +185,10 @@ router.post(process.env.LINK_REQUEST_NEWPASSWORD, async (req, res) => {
 
     // Check if too many requests
     if (await User.tooManyReqPassword(idapp, email, true)) {
-      console.log(process.env.LINK_REQUEST_NEWPASSWORD, 'TOO MANY REQUESTS !!! EXIT ', email);
+      let text = 'Troppe richieste di Password: ' + email;
-      res.status(400).send({ code: server_constants.RIS_CODE_ERR, msg: 'TOO MANY REQUESTS' });
+      telegrambot.sendMsgTelegramToTheManagers(idapp, text, true);
+      console.log(process.env.LINK_REQUEST_NEWPASSWORD, text, email);
+      res.status(400).send({ code: server_constants.RIS_CODE_ERR, msg: text });
       return false;
     }
 
@@ -339,7 +341,7 @@ router.post('/settable', authenticate, async (req, res) => {
 
     if ((!User.isAdmin(req.user.perm) && !User.isManager(req.user.perm) &&
       !User.isEditor(req.user.perm) && !User.isFacilitatore(req.user.perm)) &&
-      !tools.ModificheConsentite(params.table, fieldsvalue)) {
+      !tools.ModificheConsentite(req, params.table, fieldsvalue)) {
       // If without permissions, exit
       return res.status(404).
         send({ code: server_constants.RIS_CODE_ERR_UNAUTHORIZED, msg: '' });
@@ -849,12 +851,16 @@ router.patch('/chval', authenticate, async (req, res) => {
 
     // tools.mylogshow('PATCH CHVAL: ', id, fieldsvalue);
 
+    req.user.perm = 0;
+
     // If I change my record...
-    if (((!User.isAdmin(req.user.perm) && !User.isManager(req.user.perm) &&
+    if (((!User.isAdmin(req.user.perm)
-      !User.isEditor(req.user.perm) && !User.isFacilitatore(req.user.perm)) &&
+      && !User.isManager(req.user.perm)
-      (req.user._id.toString() !== id) &&
+      && !User.isEditor(req.user.perm)
-      (!tools.ModificheConsentite(mydata.table, fieldsvalue)))
+      && !User.isFacilitatore(req.user.perm))  
-      && !((mydata.table === 'accounts') && await Account.canEditAccountAdmins(req.user.username, mydata.id))
+      && (!tools.ModificheConsentite(req, mydata.table, fieldsvalue, id)))
+      && !((mydata.table === 'accounts') 
+      && await Account.canEditAccountAdmins(req.user.username, mydata.id))
     ) {
       // If without permissions, exit
       return res.status(404).
@@ -1036,7 +1042,7 @@ router.patch('/chval', authenticate, async (req, res) => {
             }
           }
 
-          if (tools.ModificheConsentite(mydata.table, fieldsvalue)) {
+          if (tools.ModificheConsentite(req, mydata.table, fieldsvalue)) {
             let msg = '';
             if (mydata.table === 'users') {
               if ('aportador_solidario' in fieldsvalue) {
@@ -1235,7 +1241,7 @@ router.delete('/delrec/:table/:id', authenticate, async (req, res) => {
 
   if ((!User.isAdmin(req.user.perm) && !User.isManager(req.user.perm)) &&
     (tablename !== 'extralist') &&
-    !tools.ModificheConsentite(tablename, fields, id, req.user)) {
+    !tools.ModificheConsentite(req, tablename, fields, id, req.user)) {
     // If without permissions, exit
     return res.status(404).
       send({ code: server_constants.RIS_CODE_ERR_UNAUTHORIZED, msg: '' });

src/server/router/users_router.js

@@ -168,7 +168,9 @@ router.post('/', async (req, res) => {
               user.surname;
             tools.writeIPToBan(msg);
 
-            await telegrambot.sendMsgTelegramToTheAdmin(body.idapp, 'BAN: ' + msg, true);
+            await User.findOneAndUpdate({ _id: user._id }, { $set: { banIp: true } });
+
+            await telegrambot.sendMsgTelegramToTheAdmin(body.idapp, '‼️ BAN: ' + msg, true);
 
             await tools.snooze(5000);
             res.status(400).

src/server/server.js

@@ -413,7 +413,7 @@ async function mycron() {
 }
 
 async function mycron_30min() {
-  for (const app of tools.getApps()) {
+  for (const app of await tools.getApps()) {
     let enablecrontab = false;
 
     enablecrontab = await Settings.getValDbSettings(app.idapp,
@@ -425,6 +425,29 @@ async function mycron_30min() {
   }
 }
 
+async function mycron_everyday() {
+  try {
+
+    const { User } = require('./models/user');
+
+    const arrapps = await tools.getApps();
+    for (const app of arrapps) {
+
+      // Azzera le richieste di password:
+      const usersblocked = await User.find({ idapp: app.idapp, retry_pwd: { $exists: true, $gte: 29 } }).lean();
+      for (const user of usersblocked) {
+        await User.findOneAndUpdate({ _id: user._id }, { $set: { retry_pwd: 20 } });
+        let text = `⚠️⚠️⚠️ L\'utente ${user.username} (${user.name} ${user.surname}) viene sbloccato dal numero massimo di tentativi di richiesta password!\nTelerlo d\'occhio !\n@${user.profile.username_telegram}`;
+        await telegrambot.sendMsgTelegramToTheAdminAllSites(text, false);
+      }
+
+    }
+  } catch (e) {
+    console.error('mycron_everyday: ', e);
+  }
+}
+
+
 function testmsgwebpush() {
   const { User } = require('./models/user');
 
@@ -463,6 +486,11 @@ cron.schedule('*/60 * * * *', async () => {
   }
 });
 
+// Cron every 21:00 (1 volta al giorno)
+cron.schedule('0 21 * * *', async () => {
+  mycron_everyday();
+});
+
 // mycron_30min();
 
 // tools.writelogfile('test', 'prova.txt');
@@ -489,6 +517,7 @@ async function resetProcessingJob() {
 async function inizia() {
 
   try {
+    mycron_everyday();
 
     if (process.env.NODE_ENV === 'development') {
       await telegrambot.sendMsgTelegram(tools.FREEPLANET,

src/server/tools/general.js

@@ -3765,14 +3765,23 @@ module.exports = {
     return mystr.replace(/\s+/g, '');
   },
 
-  ModificheConsentite(table, fieldsvalue, idrec, user) {
+  ModificheConsentite(req, table, fieldsvalue, idrec, user) {
     if (table === 'sharewithus') {
       return true;
     }
+    
     if (table === 'hours') {
       return true;
     }
     if (table === 'users') {
+      if (idrec && (req.user._id.toString() === idrec)) {
+        if (Object.keys(fieldsvalue).some(key => key.startsWith('profile.'))) {
+          return true;
+        }
+        if (Object.keys(fieldsvalue).some(key => server_constants.User_Fields.includes(key))) {
+          return true;
+        }
+      }
       if ('aportador_solidario' in fieldsvalue) {
         return true;
       }

src/server/tools/server_constants.js

@@ -113,4 +113,11 @@ module.exports = Object.freeze({
     TYPE_SUBDIR: 2,
   },
 
+  User_Fields: [
+    'name',
+    'surname',
+    'news_on',
+    'profile',
+  ]
+
 });