From f739eac6fc52adc0cba83a49034100e5b99ac7c8 Mon Sep 17 00:00:00 2001 From: Chris Brame Date: Sat, 28 May 2022 04:25:26 -0400 Subject: [PATCH] fix(core): verify user exists --- src/controllers/api/v1/tickets.js | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/src/controllers/api/v1/tickets.js b/src/controllers/api/v1/tickets.js index c58b88477..0d57026e2 100644 --- a/src/controllers/api/v1/tickets.js +++ b/src/controllers/api/v1/tickets.js @@ -15,7 +15,7 @@ var async = require('async') var _ = require('lodash') var moment = require('moment-timezone') -var winston = require('winston') +var winston = require('../../../logger') var permissions = require('../../../permissions') var emitter = require('../../../emitter') var xss = require('xss') @@ -1828,12 +1828,23 @@ apiTickets.subscribe = function (req, res) { if (_.isUndefined(data.user) || _.isUndefined(data.subscribe)) return res.status(400).json({ error: 'Invalid Post Data.' }) + if (data.user.toString() !== req.user._id.toString()) return res.status(401).json({ error: 'Unauthorized!' }) + var ticketModel = require('../../../models/ticket') ticketModel.getTicketById(ticketId, function (err, ticket) { if (err) return res.status(400).json({ error: 'Invalid Ticket Id' }) async.series( [ + function (callback) { + require('../../../models/user').find({ _id: data.user }, function (err, user) { + if (err) return callback(err) + + if (!user) return callback(new Error('Unauthorized!')) + + return callback() + }) + }, function (callback) { if (data.subscribe) { ticket.addSubscriber(data.user, function () { @@ -1846,7 +1857,12 @@ apiTickets.subscribe = function (req, res) { } } ], - function () { + function (err) { + if (err) { + winston.warn(err) + return res.status(401).json({ error: 'Unauthorized!' }) + } + ticket.save(function (err, ticket) { if (err) return res.status(400).json({ error: err })