Add limit for constrain anonymous view note

This commit is contained in:
蒼時弦也 2017-01-05 22:36:40 +08:00
parent 23a12dd927
commit aaf1ff4b2f
2 changed files with 5 additions and 3 deletions

View file

@ -20,6 +20,7 @@ var urladdport = process.env.HMD_URL_ADDPORT ? (process.env.HMD_URL_ADDPORT ===
var usecdn = process.env.HMD_USECDN ? (process.env.HMD_USECDN === 'true') : ((typeof config.usecdn === 'boolean') ? config.usecdn : true); var usecdn = process.env.HMD_USECDN ? (process.env.HMD_USECDN === 'true') : ((typeof config.usecdn === 'boolean') ? config.usecdn : true);
var allowanonymous = process.env.HMD_ALLOW_ANONYMOUS ? (process.env.HMD_ALLOW_ANONYMOUS === 'true') : ((typeof config.allowanonymous === 'boolean') ? config.allowanonymous : true); var allowanonymous = process.env.HMD_ALLOW_ANONYMOUS ? (process.env.HMD_ALLOW_ANONYMOUS === 'true') : ((typeof config.allowanonymous === 'boolean') ? config.allowanonymous : true);
var allowanonymousView = process.env.HMD_ALLOW_ANONYMOUS_VIEW ? (process.env.HMD_ALLOW_ANONYMOUS_VIEW === 'true') : ((typeof config.allowanonymousView === 'boolean') ? config.allowanonymousView : true);
var allowfreeurl = process.env.HMD_ALLOW_FREEURL ? (process.env.HMD_ALLOW_FREEURL === 'true') : !!config.allowfreeurl; var allowfreeurl = process.env.HMD_ALLOW_FREEURL ? (process.env.HMD_ALLOW_FREEURL === 'true') : !!config.allowfreeurl;
@ -128,6 +129,7 @@ module.exports = {
serverurl: getserverurl(), serverurl: getserverurl(),
usecdn: usecdn, usecdn: usecdn,
allowanonymous: allowanonymous, allowanonymous: allowanonymous,
allowanonymousView: allowanonymousView,
allowfreeurl: allowfreeurl, allowfreeurl: allowfreeurl,
dburl: dburl, dburl: dburl,
db: db, db: db,

View file

@ -117,7 +117,7 @@ function newNote(req, res, next) {
} }
function checkViewPermission(req, note) { function checkViewPermission(req, note) {
if (note.permission == 'private') { if (note.permission == 'private' || !config.allowanonymousView) {
if (!req.isAuthenticated() || note.ownerId != req.user.id) if (!req.isAuthenticated() || note.ownerId != req.user.id)
return false; return false;
else else