Some validation of existence of OUJS accounts for collaboration

* This has resurfaced with another Author misunderstanding collaboration and potentially opening up a security hole with their script being edited by others. So at least we can check to see if the account(s) currently exists. They are still responsible for any unauthorized edits if they type the incorrect existing username. * Also fixes a feature with unhandled casing... probably best to leave it exact unlike URLs to user homepages. Really don't need different casings floating around in these labels i.e. symmetry. Post OpenUserJS#285
Martii · Jul 27, 2019 · 259fe62 · 259fe62
1 parent b5cb5c9
commit 259fe62
Showing 1 changed file with 68 additions and 1 deletion.
diff --git a/controllers/scriptStorage.js b/controllers/scriptStorage.js
@@ -1721,8 +1721,75 @@ exports.storeScript = function (aUser, aMeta, aBuf, aUpdate, aCallback) {
       }
 
       aInnerCallback(null);
-    }
+    },
+    function (aInnerCallback) {
+      // OpenUserJS `@author` validations
+      var author = null;
+
+      author = findMeta(aMeta, 'OpenUserJS.author.0.value');
+
+      if (author) {
+        User.findOne({
+          name: author
+        }, function (aErr, aUser) {
+          if (aErr) {
+            aInnerCallback(new statusError({
+              message: 'DB error finding `@author` in OpenUserJS block',
+              code: 500
+            }), null);
+            return;
+          }
+
+          if (!aUser) {
+            aInnerCallback(new statusError({
+              message: '`@author ' + author +
+                '` in OpenUserJS block does not exist or is incorrectly cased.',
+              code: 400
+            }), null);
+            return;
+          }
+
+          aInnerCallback(null);
+        });
+      } else {
+        aInnerCallback(null);
+      }
+    },
+    function (aOuterCallback) {
+      // OpenUserJS block `@collaborator` validations
+      var collaborators = null;
+
+      collaborators = findMeta(aMeta, 'OpenUserJS.collaborator.value');
+      if (collaborators) {
+        async.eachSeries(collaborators, function (aCollaborator, aInnerCallback) {
+          User.findOne({
+            name: aCollaborator
+          }, function (aErr, aUser) {
+            if (aErr) {
+              aOuterCallback(new statusError({
+                message: 'DB error finding `@collaborator` ' +
+                  aCollaborator + ' in OpenUserJS block',
+                code: 500
+              }), null);
+              return;
+            }
 
+            if (!aUser) {
+              aOuterCallback(new statusError({
+                message: '`@collaborator ' + aCollaborator +
+                  '` in OpenUserJS block does not exist or is incorrectly cased',
+                code: 400
+              }), null);
+              return;
+            }
+
+            aInnerCallback();
+          });
+        }, aOuterCallback);
+      } else {
+        aOuterCallback(null);
+      }
+    }
 
   ], function (aErr, aResults) {
     var author = null;