lfapi
changeset 37:0eef836b8f54
Pay attention to session_key submitted in POST body
| author | bsw |
|---|---|
| date | Thu Aug 02 13:58:41 2012 +0200 (2012-08-02) |
| parents | 268b74abaceb |
| children | 28865db108c9 |
| files | lfapi.js |
line diff
1.1 --- a/lfapi.js Tue Jul 31 11:51:46 2012 +0200 1.2 +++ b/lfapi.js Thu Aug 02 13:58:41 2012 +0200 1.3 @@ -34,16 +34,6 @@ 1.4 1.5 req.sessions = sessions; 1.6 1.7 - // session handling 1.8 - if (params.session_key) { 1.9 - if (sessions[params.session_key]) { 1.10 - req.current_member_id = sessions[params.session_key]; 1.11 - req.current_access_level = 'member' 1.12 - } else { 1.13 - main.respond('json', null, req, res, 'forbidden', 'Invalid session key'); 1.14 - } 1.15 - } 1.16 - 1.17 // pick cookies from http headers 1.18 var cookies = {}; 1.19 if (req.headers.cookie) { 1.20 @@ -53,8 +43,6 @@ 1.21 }); 1.22 }; 1.23 1.24 - console.log(req.socket._idleStart, req.socket.remoteAddress, req.current_member_id, req.current_access_level, req.method, url_info.pathname, url_info.query); 1.25 - 1.26 var body = ''; 1.27 req.on('data', function (data) { 1.28 body += data; 1.29 @@ -65,6 +53,20 @@ 1.30 params[key] = post_params[key]; 1.31 }; 1.32 1.33 + console.log(req.socket._idleStart, req.socket.remoteAddress, req.current_member_id, req.current_access_level, req.method, url_info.pathname, url_info.query); 1.34 + 1.35 + // session handling 1.36 + if (params.session_key) { 1.37 + if (sessions[params.session_key]) { 1.38 + req.current_member_id = sessions[params.session_key]; 1.39 + req.current_access_level = 'member' 1.40 + } else { 1.41 + main.respond('json', null, req, res, 'forbidden', 'Invalid session key'); 1.42 + } 1.43 + } 1.44 + 1.45 + 1.46 + 1.47 if (['POST', 'DELETE'].includes(params.http_method)) { 1.48 req.method = params.http_method; 1.49 }