From 0e131c25466a9c2a25755d4341663de45b689813 Mon Sep 17 00:00:00 2001
From: Paul Fitzpatrick <paulfitz@alum.mit.edu>
Date: Tue, 4 Aug 2020 15:35:05 -0400
Subject: [PATCH] (core) do not allow anonymous user to set a name

Summary:
Only allow authorized users to set names. This excludes the anonymous user.

Seems to be a narrow issue isolated to the `POST /api/profile/user/name` endpoint, other `profile` posts/deletes are already restricted to authorized users.

Test Plan: added a test

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2574
---
 app/gen-server/ApiServer.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/gen-server/ApiServer.ts b/app/gen-server/ApiServer.ts
index 6e780178..dd1442e7 100644
--- a/app/gen-server/ApiServer.ts
+++ b/app/gen-server/ApiServer.ts
@@ -320,7 +320,7 @@ export class ApiServer {
     // Body params: string
     // Update users profile.
     this._app.post('/api/profile/user/name', expressWrap(async (req, res) => {
-      const userId = getUserId(req);
+      const userId = getAuthorizedUserId(req);
       if (!(req.body && req.body.name)) {
         throw new ApiError('Name expected in the body', 400);
       }