some stuff again

2017-08-30 15:23:45 +03:00 · 2017-08-30 15:23:45 +03:00 · 95467dc041
parent c12ed739c7
commit 95467dc041
9 changed files with 62 additions and 60 deletions
--- a/documents/terms-of-service.html
+++ b/documents/terms-of-service.html
@ -4,6 +4,8 @@
 <p>Separate entities owned by Icy Network may have their own Terms and Conditions which you must read and comply with.</p>
 <h2>Who May Use the Services</h2>
 <p>You may use our Services only if you have not been previously unauthorized of doing so and that you are above the legal age of 13. Our Services may contain inappropriate language or images not suitable for minors.</p>
 <h3>Email Address</h3>
 <p>When signing up for an Account, you must provide a valid Email Address. If you use disposable/one-time email addresses, your Account may be subject to deletion.</p>
 <h2>Privacy</h2>
 <p>Icy Network requires you to sign up for an account or log in using another external website. Please read our <a href="/docs/privacy-policy">Privacy Policies</a> before entering any information into our Services to understand what information we may collect and what it's used for.</p>
 <h2>Content on the Services</h2>
--- a/server/api/admin.js
+++ b/server/api/admin.js
@ -115,8 +115,6 @@ const API = {
    return cleanClientObject(raw[0])
  },
  updateClient: async function (id, data) {
    if (isNaN(id)) return {error: 'Invalid client ID'}
    let fields = [
      'title', 'description', 'url', 'redirect_url', 'scope'
    ]
@ -207,7 +205,6 @@ const API = {
    }
  },
  removeBan: async function (banId) {
    if (isNaN(banId)) return {error: 'Invalid number'}
    return Models.Ban.query().delete().where('id', banId)
  },
  addBan: async function (data, adminId) {
--- a/server/api/news.js
+++ b/server/api/news.js
@ -94,7 +94,6 @@ const News = {
    return result
  },
  edit: async (id, body) => {
    if (!body.content) return {error: 'Content required'}
    let patch = {
      content: body.content,
      updated_at: new Date()
--- a/server/routes/admin.js
+++ b/server/routes/admin.js
@ -140,12 +140,15 @@ apiRouter.post('/client/new', wrap(async (req, res) => {
 }))
 apiRouter.post('/client/update', wrap(async (req, res) => {
-  if (!req.body.id) return res.status(400).jsonp({error: 'ID missing'})
+  let id = parseInt(req.body.id)
  if (!id || isNaN(id)) return res.status(400).jsonp({error: 'ID missing'})
  if (req.body.csrf !== req.session.csrf) {
    return res.status(400).jsonp({error: 'Invalid session'})
  }
-  let update = await API.updateClient(parseInt(req.body.id), req.body)
+  let update = await API.updateClient(id, req.body)
  if (update.error) {
    return res.status(400).jsonp({error: update.error})
  }
--- a/server/routes/api.js
+++ b/server/routes/api.js
@ -289,12 +289,18 @@ router.get('/news/all/', (req, res) => {
 })
 router.post('/news/edit/:id', wrap(async (req, res, next) => {
  let id = parseInt(req.params.id)
  if (!req.session.user || req.session.user.privilege < 1) return next()
-  if (!req.params.id || isNaN(parseInt(req.params.id))) {
+
  if (!id || isNaN(id)) {
    return res.status(400).jsonp({error: 'Invalid ID number.'})
  }
-  let id = parseInt(req.params.id)
+  if (!req.body.content) {
    return res.status(400).jsonp({error: 'Content is required.'})
  }
  let result = await News.edit(id, req.body)
  if (result.error) {
    return res.status(400).jsonp({error: result.error})
--- a/server/routes/index.js
+++ b/server/routes/index.js
@ -36,6 +36,18 @@ function setSession (req, user) {
  }
 }
 function redirectLogin (req, res) {
  let uri = '/'
  if (req.session.redirectUri) {
    uri = req.session.redirectUri
    delete req.session.redirectUri
  } else if (req.query.redirect) {
    uri = req.query.redirect
  }
  res.redirect(uri)
 }
 router.use(wrap(async (req, res, next) => {
  // Add form messages into the template rendering if present
  let messages = req.flash('message')
@ -104,6 +116,19 @@ function extraButtons (req, res, next) {
  next()
 }
 // Retrieve form data if formError was called
 function formKeep (req, res, next) {
  let dataSave = req.flash('formkeep')
  if (dataSave.length) {
    dataSave = dataSave[0]
  } else {
    dataSave = {}
  }
  res.locals.formkeep = dataSave
  next()
 }
 // Make sure the user is logged in
 // Redirect to login page and store the current path in the session for redirecting later
 function ensureLogin (req, res, next) {
@ -113,30 +138,13 @@ function ensureLogin (req, res, next) {
 }
 router.get('/login', extraButtons, (req, res) => {
-  if (req.session.user) {
+  if (req.session.user) return redirectLogin(req, res)
    let uri = '/'
    if (req.session.redirectUri) {
      uri = req.session.redirectUri
      delete req.session.redirectUri
    }
    return res.redirect(uri)
  }
  res.render('user/login')
 })
-router.get('/register', extraButtons, (req, res) => {
+router.get('/register', extraButtons, formKeep, (req, res) => {
-  if (req.session.user) return res.redirect('/')
+  if (req.session.user) return redirectLogin(req, res)
  let dataSave = req.flash('formkeep')
  if (dataSave.length) {
    dataSave = dataSave[0]
  } else {
    dataSave = {}
  }
  res.locals.formkeep = dataSave
  if (config.security.recaptcha && config.security.recaptcha.site_key) {
    res.locals.recaptcha = config.security.recaptcha.site_key
@ -316,31 +324,12 @@ router.post('/login/verify', wrap(async (req, res, next) => {
  let user = await API.User.get(req.session.totp_check)
  delete req.session.totp_check
-  // Set session
+  setSession(req, user)
-  req.session.user = {
+  redirectLogin(req, res)
    id: user.id,
    username: user.username,
    display_name: user.display_name,
    email: user.email,
    avatar_file: user.avatar_file,
    session_refresh: Date.now() + 1800000 // 30 minutes
  }
  let uri = '/'
  if (req.session.redirectUri) {
    uri = req.session.redirectUri
    delete req.session.redirectUri
  }
  if (req.query.redirect) {
    uri = req.query.redirect
  }
  res.redirect(uri)
 }))
-// Log the user in
+// Log the user in. Limited resource
-router.post('/login', wrap(async (req, res, next) => {
+router.post('/login', accountLimiter, wrap(async (req, res, next) => {
  if (req.session.user) return next()
  if (!req.body.username || !req.body.password || req.body.username === '') {
    return res.redirect('/login')
@ -401,6 +390,12 @@ router.post('/register', accountLimiter, wrap(async (req, res, next) => {
    return formError(req, res, 'Invalid session! Try reloading the page.')
  }
  // Ban check
  let banStatus = await API.User.getBanStatus(req.realIP, true)
  if (banStatus.length) {
    return res.render('user/banned', {bans: banStatus, ipban: true})
  }
  // 1st Check: Username Characters and length
  let username = req.body.username
  if (!username || !username.match(/^([\w-_]{3,26})$/i)) {
@ -470,7 +465,7 @@ router.post('/register', accountLimiter, wrap(async (req, res, next) => {
  // Do not include activation link message when the user is already activated
  let registerMessage = 'Account created successfully!'
  if (newUser.user && newUser.user.activated !== 1) {
-    registerMessage += ' Please check your email for an activation link.'
+    registerMessage += ' Please check your inbox for an activation link. Also, make sure to look into spam folders.'
  }
  req.flash('message', {error: false, text: registerMessage})
@ -655,17 +650,17 @@ router.get('/docs/:name', (req, res, next) => {
  ========
 */
-function privileged (req, res, next) {
+function newsPrivilege (req, res, next) {
  if (!req.session.user) return res.redirect('/news')
  if (req.session.user.privilege < 1) return res.redirect('/news')
  next()
 }
-router.get('/news/writer', privileged, wrap(async (req, res) => {
+router.get('/news/compose', newsPrivilege, formKeep, wrap(async (req, res) => {
  res.render('news/composer')
 }))
-router.post('/news/writer', privileged, wrap(async (req, res) => {
+router.post('/news/compose', newsPrivilege, wrap(async (req, res) => {
  if (req.body.csrf !== req.session.csrf) {
    return formError(req, res, 'Invalid session! Try reloading the page.')
  }
--- a/views/admin/index.pug
+++ b/views/admin/index.pug
@ -32,7 +32,7 @@ block body
 				<div class="display_name">{{display_name}}</div>
 				<div class="username">{{id}} - {{username}}</div>
 				<div class="email">{{email}}</div>
-				<div class="privilege">Privilege: {{nw_privilege}} points</div>
+				<div class="privilege">Privilege: level {{nw_privilege}}</div>
 				<div class="timestamp">{{created_at}}</div>
 				{{^password}}
 				<div class="external"><b>Used external login</b></div>
--- a/views/news/composer.pug
+++ b/views/news/composer.pug
@ -19,11 +19,11 @@ block body
 			form(action="", method="post")
 				input(type="hidden", name="csrf", value=csrf)
 				label(for="title") Title
-				input(type="text", name="title", id="title")
+				input(type="text", name="title", id="title", value=formkeep.title)
 				label(for="composer1") Content
-				textarea(name="content" id="composer1")
+				textarea(name="content" id="composer1") #{formkeep.content}
 				label(for="tags") Tags
-				input(type="text", name="tags", id="tags")
+				input(type="text", name="tags", id="tags", value=formkeep.tags)
 				input(type="submit", value="Submit")
 			script.
 				CKEDITOR.replace('composer1')
--- a/views/news/news.pug
+++ b/views/news/news.pug
@ -7,7 +7,7 @@ block body
 	.document
 		.content
 			if user && user.privilege && user.privilege > 0
-				a.button(style="float: right;" href="/news/writer") New Article
+				a.button(style="float: right;" href="/news/compose") New Article
 			h1 Icy Network News Archive
 			if news.error
 				span.error There are no articles to show.