Patch unauthorized access to other user's pfps (#2904)

* patch unauthorized viewing of other user's pfps * inline return responses --------- Co-authored-by: Timothy Carambat <[email protected]>
Mintplex-Labs · Dec 30, 2024 · 696af19 · 696af19
1 parent 0b7bf68
commit 696af19
Showing 1 changed file with 6 additions and 12 deletions.
diff --git a/server/endpoints/system.js b/server/endpoints/system.js
@@ -659,24 +659,18 @@ function systemEndpoints(app) {
     async function (request, response) {
       try {
         const { id } = request.params;
-        const pfpPath = await determinePfpFilepath(id);
+        if (response.locals?.user?.id !== Number(id))
+          return response.sendStatus(204).end();
 
-        if (!pfpPath) {
-          response.sendStatus(204).end();
-          return;
-        }
+        const pfpPath = await determinePfpFilepath(id);
+        if (!pfpPath) return response.sendStatus(204).end();
 
         const { found, buffer, size, mime } = fetchPfp(pfpPath);
-        if (!found) {
-          response.sendStatus(204).end();
-          return;
-        }
+        if (!found) return response.sendStatus(204).end();
 
         response.writeHead(200, {
           "Content-Type": mime || "image/png",
-          "Content-Disposition": `attachment; filename=${path.basename(
-            pfpPath
-          )}`,
+          "Content-Disposition": `attachment; filename=${path.basename(pfpPath)}`,
           "Content-Length": size,
         });
         response.end(Buffer.from(buffer, "base64"));