- if (!req.cookies.token)
- return callback(anonymous);
- UserModel.getOne("sessionToken", req.cookies.token, function(err, user) {
- if (!!err || !user)
- callback(anonymous);
- else (!!user)
- callback(user);
- });
+ if (!req.cookies.token)
+ callback(anonymous);
+ else if (req.cookies.token.match(/^[a-z0-9]+$/))
+ {
+ UserModel.getOne("sessionToken", req.cookies.token, (err, user) => {
+ callback(user || anonymous);
+ });
+ }
+});
+
+// NOTE: this method is safe because only IDs and names are returned
+router.get("/users", access.ajax, (req,res) => {
+ const ids = req.query["ids"];
+ if (ids.match(/^([0-9]+,?)+$/)) //NOTE: slightly too permissive
+ {
+ UserModel.getByIds(ids, (err,users) => {
+ res.json({users:users});
+ });
+ }
+});
+
+router.put('/update', access.logged, access.ajax, (req,res) => {
+ const name = req.body.name;
+ const email = req.body.email;
+ if (UserModel.checkNameEmail({name: name, email: email}));
+ {
+ const user = {
+ id: req.userId,
+ name: name,
+ email: email,
+ notify: !!req.body.notify,
+ };
+ UserModel.updateSettings(user);
+ res.json({});
+ }