projects
/
vchess.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Sanitize inputs on server side
[vchess.git]
/
server
/
routes
/
users.js
diff --git
a/server/routes/users.js
b/server/routes/users.js
index
163dc30
..
1d553db
100644
(file)
--- a/
server/routes/users.js
+++ b/
server/routes/users.js
@@
-7,6
+7,7
@@
var genToken = require("../utils/tokenGenerator");
var access = require("../utils/access");
var params = require("../config/parameters");
var access = require("../utils/access");
var params = require("../config/parameters");
+// NOTE: this method is safe because the sessionToken must be guessed
router.get("/whoami", access.ajax, (req,res) => {
const callback = (user) => {
return res.json({
router.get("/whoami", access.ajax, (req,res) => {
const callback = (user) => {
return res.json({
@@
-27,6
+28,7
@@
router.get("/whoami", access.ajax, (req,res) => {
});
});
});
});
+// NOTE: this method is safe because only IDs and names are returned
router.get("/users", access.ajax, (req,res) => {
const ids = req.query["ids"];
UserModel.getByIds(ids, (err,users) => {
router.get("/users", access.ajax, (req,res) => {
const ids = req.query["ids"];
UserModel.getByIds(ids, (err,users) => {