Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
/* edit article */
router.put(
'/:fullTitle/wikitext',
[
param('fullTitle')
.trim()
.custom(v => Article.validateFullTitle(v)),
body('wikitext')
.optional(),
body('summary')
.optional(),
],
[
sanitizeParam('fullTitle').trim(),
sanitizeBody('wikitext').trim(),
sanitizeBody('summary').trim(),
],
middlewares.validate(),
middlewares.checkBlock(),
async (req, res, next) => {
try {
const article = await Article.findByFullTitle(req.params.fullTitle);
if (!article) {
return new Response.ResourceNotFound().send(res);
}
if (!await req.user.isEditable(article)) {
throw new UnauthorizedError();
}
const latestRevision = await article.getLatestRevision({ includeWikitext: true });
if (!req.body.latestRevisionId || latestRevision.id > req.body.latestRevisionId) {
return new Response.BadRequest({ name: 'EditConflictError', message: 'edit conflict' }).send(res);
* Validation input fields
* Sanitize input fields
* If errors, render page with errors
* Else call the /rest/list REST service to create the list,
* then redirects back to the main page
*
* @param {Request} req - the Request object
* @param {Response} res - the Response object
* @param {Object} next - the next middleware function in the req/res cycle
*/
const createList = [
// TODO: Refactor into common method shared with updateList
// Validate input(s)
body('description', 'Description cannot be empty').isLength({ min: 1 }),
// Sanitize fields.
sanitizeBody('description').trim().escape(),
// Check validation results
(req, res, next) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
let errorsArray = errors.array();
logger.debug(`Found ${errorsArray.length} errors with the request`);
res.render('lists-create', { title: 'Create Shopping List', data: '', errors: errorsArray });
} else {
logger.debug('Request is error free. Moving on...', 'createList()');
next();
}
},
// All is well (if we got this far). Send the request!
(req, res, next) => {
let requestBody = JSON.stringify(req.body);
request('POST', '/rest/lists', requestBody, (err, data) => {
};
// Handle Author update on POST.
exports.author_update_post = [
// Validate fields.
body('first_name').isLength({ min: 1 }).trim().withMessage('First name must be specified.')
.isAlphanumeric().withMessage('First name has non-alphanumeric characters.'),
body('family_name').isLength({ min: 1 }).trim().withMessage('Family name must be specified.')
.isAlphanumeric().withMessage('Family name has non-alphanumeric characters.'),
body('date_of_birth', 'Invalid date of birth').optional({ checkFalsy: true }).isISO8601(),
body('date_of_death', 'Invalid date of death').optional({ checkFalsy: true }).isISO8601(),
// Sanitize fields.
sanitizeBody('first_name').escape(),
sanitizeBody('family_name').escape(),
sanitizeBody('date_of_birth').toDate(),
sanitizeBody('date_of_death').toDate(),
// Process request after validation and sanitization.
(req, res, next) => {
// Extract the validation errors from a request.
const errors = validationResult(req);
// Create Author object with escaped and trimmed data (and the old id!)
var author = new Author(
{
first_name: req.body.first_name,
family_name: req.body.family_name,
date_of_birth: req.body.date_of_birth,
date_of_death: req.body.date_of_death,
}
next();
},
// Validate fields.
body('title', 'Title must not be empty.').isLength({ min: 1 }).trim(),
body('author', 'Author must not be empty.').isLength({ min: 1 }).trim(),
body('summary', 'Summary must not be empty.').isLength({ min: 1 }).trim(),
body('isbn', 'ISBN must not be empty').isLength({ min: 1 }).trim(),
// Sanitize fields.
sanitizeBody('title').escape(),
sanitizeBody('author').escape(),
sanitizeBody('summary').escape(),
sanitizeBody('isbn').escape(),
sanitizeBody('genre.*').escape(),
// Process request after validation and sanitization.
(req, res, next) => {
// Extract the validation errors from a request.
const errors = validationResult(req);
// Create a Book object with escaped/trimmed data and old id.
var book = new Book(
{ title: req.body.title,
author: req.body.author,
summary: req.body.summary,
isbn: req.body.isbn,
genre: (typeof req.body.genre==='undefined') ? [] : req.body.genre,
_id:req.params.id // This is required, or a new ID will be assigned!
});
res.render('bookinstance_form', {title: 'Create BookInstance', book_list:books } );
});
};
// Handle BookInstance create on POST.
exports.bookinstance_create_post = [
// Validate fields.
body('book', 'Book must be specified').isLength({ min: 1 }).trim(),
body('imprint', 'Imprint must be specified').isLength({ min: 1 }).trim(),
body('due_back', 'Invalid date').optional({ checkFalsy: true }).isISO8601(),
// Sanitize fields.
sanitizeBody('book').escape(),
sanitizeBody('imprint').escape(),
sanitizeBody('status').escape(),
sanitizeBody('due_back').toDate(),
// Process request after validation and sanitization.
(req, res, next) => {
// Extract the validation errors from a request.
const errors = validationResult(req);
// Create a BookInstance object with escaped and trimmed data.
var bookinstance = new BookInstance(
{ book: req.body.book,
imprint: req.body.imprint,
status: req.body.status,
due_back: req.body.due_back
});
};
// Handle BookInstance create on POST.
exports.bookinstance_create_post = [
// Validate fields.
body('book', 'Book must be specified').isLength({ min: 1 }).trim(),
body('imprint', 'Imprint must be specified').isLength({ min: 1 }).trim(),
body('due_back', 'Invalid date').optional({ checkFalsy: true }).isISO8601(),
// Sanitize fields.
sanitizeBody('book').escape(),
sanitizeBody('imprint').escape(),
sanitizeBody('status').escape(),
sanitizeBody('due_back').toDate(),
// Process request after validation and sanitization.
(req, res, next) => {
// Extract the validation errors from a request.
const errors = validationResult(req);
// Create a BookInstance object with escaped and trimmed data.
var bookinstance = new BookInstance(
{ book: req.body.book,
imprint: req.body.imprint,
status: req.body.status,
due_back: req.body.due_back
});
if (!errors.isEmpty()) {
} catch (err) {
return next(err);
}
},
);
router.put(
'/wiki-name',
middlewares.permission(SET_WIKI_NAME),
[
body('wikiName')
.trim()
.isLength({ min: 1, max: 30 }),
],
[
sanitizeBody('wikiName').trim(),
],
middlewares.validate(),
async (req, res, next) => {
try {
await Setting.set('wikiName', req.body.wikiName);
return new Response.Success().send(res);
} catch (err) {
return next(err);
}
},
);
router.put(
'/front-page',
middlewares.permission(SET_FRONT_PAGE),
[
ref: 'user',
required: true,
},
groupId: {
type: Schema.Types.ObjectId,
ref: 'group',
},
};
const task = new Schema(Object.assign(fields, references), {
timestamps: true,
});
const sanitizers = [
body('title').escape(),
sanitizeBody('completed').toBoolean(),
body('description').escape(),
body('dueDate').toDate(),
];
module.exports = {
Model: mongoose.model('task', task),
fields,
references,
sanitizers,
};
},
);
router.put(
'/email',
middlewares.permission(SET_EMAIL),
[
body('host').trim().isLength({ min: 1, max: 300 }),
body('port').custom(v => Number.isInteger(v)),
body('secure').custom(v => typeof v === 'boolean'),
body('user').trim().isLength({ min: 1, max: 300 }),
body('password').isLength({ min: 1 }),
],
[
sanitizeBody('host').trim(),
sanitizeBody('user').trim(),
],
middlewares.validate(),
async ({
body: {
host, port, secure, user, password,
},
}, res, next) => {
try {
await Setting.set('email', {
host, port, secure, user, password,
});
return new Response.Success().send(res);
} catch (err) {
return next(err);
}
},
} catch (err) {
return next(err);
}
},
);
router.post(
'/',
upload.single('file'),
[
body('title')
.trim()
.custom(v => Article.validateTitle(v)),
],
[
sanitizeBody('title').trim(),
sanitizeBody('wikitext').trim(),
sanitizeBody('summary').trim(),
],
middlewares.validate(),
async (req, res, next) => {
try {
if (!await req.user.isCreatable(Namespace.Known.FILE)) {
throw new UnauthorizedError();
}
await sequelize.transaction(async (transaction) => {
const article = await Article.createNew({
ipAddress: req.ipAddress,
fullTitle: Namespace.joinNamespaceIdTitle(Namespace.Known.FILE.id, req.body.title),
author: req.user,
wikitext: req.body.wikitext,
summary: req.body.summary,