Archives/gristlabs_grist-core
1
0
Fork 0
mirror of https://github.com/gristlabs/grist-core.git synced 2024-10-27 20:44:07 +00:00
Code Issues Projects Releases Wiki Activity

(core) do not allow anonymous user to set a name

Browse Source 
Summary:
Only allow authorized users to set names. This excludes the anonymous user.

Seems to be a narrow issue isolated to the `POST /api/profile/user/name` endpoint, other `profile` posts/deletes are already restricted to authorized users.

Test Plan: added a test

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2574
This commit is contained in:
Paul Fitzpatrick 2020-08-04 15:35:05 -04:00
parent 6b24d496db
commit 0e131c2546
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/gen-server/ApiServer.ts
View File

@ -320,7 +320,7 @@ export class ApiServer {
// Body params: string
// Update users profile.
this._app.post('/api/profile/user/name', expressWrap(async (req, res) => {
const userId = getUserId(req);
const userId = getAuthorizedUserId(req);
if (!(req.body && req.body.name)) {
throw new ApiError('Name expected in the body', 400);
}