From cae4118bc94e3461e016471e3cf3c9287e99e59e Mon Sep 17 00:00:00 2001
From: Robert Best <chessscholar@gmail.com>
Date: Tue, 3 Oct 2023 13:37:59 -0400
Subject: [PATCH] Update social.coffee

don't allow unclaimed sites to be viewed by authors not in allowed_domains.
---
 server/social.coffee | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/social.coffee b/server/social.coffee
index 5147444..4ac9ff0 100644
--- a/server/social.coffee
+++ b/server/social.coffee
@@ -408,7 +408,7 @@ module.exports = exports = (log, loga, argv) ->
         res.header 'Access-Control-Allow-Origin', req.get('Origin')||'*'
         res.header 'Access-Control-Allow-Credentials', 'true'
         # protect unclaimed by adding "add owner isnt ''" - maybe via parameter
-        return next() if isAuthorized(req) or allowedToView(req)
+        return next() if (isAuthorized(req) and owner !== '') or allowedToView(req)
         return res.redirect("/view/#{m[1]}") if m = req.url.match /\/(.*)\.html/
         return res.json(['Login Required']) if req.url == '/system/sitemap.json'