Archives
/
gristlabs_grist-core
mirror of https://github.com/gristlabs/grist-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

(core) do not allow anonymous user to set a name

Browse Source 
Summary:
Only allow authorized users to set names. This excludes the anonymous user.

Seems to be a narrow issue isolated to the `POST /api/profile/user/name` endpoint, other `profile` posts/deletes are already restricted to authorized users.

Test Plan: added a test

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2574
pull/4/head
Paul Fitzpatrick 4 years ago
parent 6b24d496db
commit 0e131c2546
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File

2
app/gen-server/ApiServer.ts
Unescape View File

@ -320,7 +320,7 @@ export class ApiServer {
// Body params: string
// Update users profile.
this._app.post('/api/profile/user/name', expressWrap(async (req, res) => {
const userId = getUserId(req);
const userId = getAuthorizedUserId(req);
if (!(req.body && req.body.name)) {
throw new ApiError('Name expected in the body', 400);
}

Write Preview
Loading…
Cancel
Save