protect assets and sitemap hints that login is required
This commit is contained in:
Paul Rodwell
@ -400,15 +400,17 @@ module.exports = exports = (log, loga, argv) ->
|
|||||||
false
|
false
|
||||||
|
|
||||||
app.all '*', (req, res, next) ->
|
app.all '*', (req, res, next) ->
|
||||||
# todo: think about assets??
|
# everything is restricted except site flag,
|
||||||
return next() unless /\.(json|html)$/.test req.url
|
return next() if req.url is '/favicon.png'
|
||||||
|
return next() unless /\.(json|html)$/.test req.url or req.url.startsWith('/assets')
|
||||||
|
|
||||||
# prepare to examine remote server's forwarded session
|
# prepare to examine remote server's forwarded session
|
||||||
res.header 'Access-Control-Allow-Origin', req.get('Origin')||'*'
|
res.header 'Access-Control-Allow-Origin', req.get('Origin')||'*'
|
||||||
res.header 'Access-Control-Allow-Credentials', 'true'
|
res.header 'Access-Control-Allow-Credentials', 'true'
|
||||||
return next() if isAuthorized(req) || allowedToView(req)
|
# protect unclaimed by adding "add owner isnt ''" - maybe via parameter
|
||||||
|
return next() if isAuthorized(req) or allowedToView(req)
|
||||||
return res.redirect("/view/#{m[1]}") if m = req.url.match /\/(.*)\.html/
|
return res.redirect("/view/#{m[1]}") if m = req.url.match /\/(.*)\.html/
|
||||||
return res.json([]) if req.url == '/system/sitemap.json'
|
return res.json(['Login Required']) if req.url == '/system/sitemap.json'
|
||||||
|
|
||||||
# not happy, explain why these pages can't be viewed
|
# not happy, explain why these pages can't be viewed
|
||||||
problem = "This is a restricted wiki requires users to login to view pages. You do not have to be the site owner but you do need to login with a participating email address."
|
problem = "This is a restricted wiki requires users to login to view pages. You do not have to be the site owner but you do need to login with a participating email address."
|
||||||
|
|||||||
Reference in New Issue
Block a user