From 1358215e6fa7249c2c830a54fa7337973f410b1c Mon Sep 17 00:00:00 2001 From: Travis Eden Date: Mon, 17 Sep 2018 09:01:46 -0400 Subject: [PATCH] reject requests for content from unapproved channels when serveApprovedOnly --- server/controllers/api/channel/data/index.js | 7 +++++ .../assets/utils/getClaimIdAndServeAsset.js | 26 ++++++++++++++++--- server/models/claim.js | 5 ++++ 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/server/controllers/api/channel/data/index.js b/server/controllers/api/channel/data/index.js index 610f1cb5..c9ceebf4 100644 --- a/server/controllers/api/channel/data/index.js +++ b/server/controllers/api/channel/data/index.js @@ -1,6 +1,7 @@ const { handleErrorResponse } = require('../../../utils/errorHandlers.js'); const getChannelData = require('./getChannelData.js'); +const { publishing: { serveOnlyApproved, approvedChannels } } = require('@config/siteConfig'); const NO_CHANNEL = 'NO_CHANNEL'; @@ -14,6 +15,12 @@ const channelData = ({ ip, originalUrl, body, params }, res) => { const channelName = params.channelName; let channelClaimId = params.channelClaimId; if (channelClaimId === 'none') channelClaimId = null; + if (serveOnlyApproved && approvedChannels && !approvedChannels.includes(channelClaimId)) { + return res.status(404).json({ + success: false, + message: 'This spee.ch instance serves limited content which does not include this asset', + }); + } getChannelData(channelName, channelClaimId) .then(data => { res.status(200).json({ diff --git a/server/controllers/assets/utils/getClaimIdAndServeAsset.js b/server/controllers/assets/utils/getClaimIdAndServeAsset.js index 00bf9532..66486ba8 100644 --- a/server/controllers/assets/utils/getClaimIdAndServeAsset.js +++ b/server/controllers/assets/utils/getClaimIdAndServeAsset.js @@ -11,17 +11,28 @@ const NO_CHANNEL = 'NO_CHANNEL'; const NO_CLAIM = 'NO_CLAIM'; const BLOCKED_CLAIM = 'BLOCKED_CLAIM'; const NO_FILE = 'NO_FILE'; +const UNAPPROVED_CHANNEL = 'UNAPPROVED_CHANNEL'; + +const { publishing: { serveOnlyApproved, approvedChannels } } = require('@config/siteConfig'); const getClaimIdAndServeAsset = (channelName, channelClaimId, claimName, claimId, originalUrl, ip, res) => { getClaimId(channelName, channelClaimId, claimName, claimId) .then(fullClaimId => { claimId = fullClaimId; logger.debug('Full claim id:', fullClaimId); - return db.Claim.getOutpoint(claimName, fullClaimId); + return db.Claim.findOne({ + where: { + name : claimName, + claimId: fullClaimId, + }, + }); }) - .then(outpoint => { - logger.debug('Outpoint:', outpoint); - return db.Blocked.isNotBlocked(outpoint); + .then(claim => { + if (serveOnlyApproved && !approvedChannels.includes(claim.dataValues.certificateId)) { + throw new Error(UNAPPROVED_CHANNEL); + } + logger.debug('Outpoint:', claim.dataValues.outpoint); + return db.Blocked.isNotBlocked(claim.dataValues.outpoint); }) .then(() => { return db.File.findOne({ @@ -52,6 +63,13 @@ const getClaimIdAndServeAsset = (channelName, channelClaimId, claimName, claimId message: 'No matching channel id could be found for that url', }); } + if (error === UNAPPROVED_CHANNEL) { + logger.debug('unapproved channel'); + return res.status(400).json({ + success: false, + message: 'This spee.ch instance serves limited content which does not include this asset', + }); + } if (error === BLOCKED_CLAIM) { logger.debug('claim was blocked'); return res.status(451).json({ diff --git a/server/models/claim.js b/server/models/claim.js index 6c1f4092..55010987 100644 --- a/server/models/claim.js +++ b/server/models/claim.js @@ -1,8 +1,10 @@ const logger = require('winston'); const returnShortId = require('./utils/returnShortId.js'); const { assetDefaults: { thumbnail: defaultThumbnail }, details: { host } } = require('@config/siteConfig'); +const { publishing: { serveOnlyApproved, approvedChannels } } = require('@config/siteConfig'); const NO_CLAIM = 'NO_CLAIM'; +const NOT_ALLOWED = 'NOT_ALLOWED'; function determineFileExtensionFromContentType (contentType) { switch (contentType) { @@ -362,6 +364,9 @@ module.exports = (sequelize, { STRING, BOOLEAN, INTEGER, TEXT, DECIMAL }) => { where: { name, claimId }, }) .then(claimArray => { + if (serveOnlyApproved && !approvedChannels.includes(claimArray[0].dataValues.certificateId)) { + reject(NOT_ALLOWED); + } switch (claimArray.length) { case 0: return resolve(null);