pub-solar/obs-portal
5
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

fix: raise forbidden when viewing invisible track and not author

Browse source
This commit is contained in:
Paul Bienkowski 2020-11-21 16:39:16 +01:00
parent fb11a71663
commit 2da013583b
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
routes/api/tracks.js
View file

@ -332,6 +332,11 @@ router.get(
req.payload ? User.findById(req.payload.id) : null, req.payload ? User.findById(req.payload.id) : null,
req.track.populate('author').execPopulate(), req.track.populate('author').execPopulate(),
]); ]);
if (!req.track.visible && req.track.author._id.toString() !== req.payload?.id?.toString()) {
return res.sendStatus(403);
}
return res.json({ track: req.track.toJSONFor(user, { body: true }) }); return res.json({ track: req.track.toJSONFor(user, { body: true }) });
}), }),
); );