Add config option which requires authentication in FreeURL mode

This mitigates unintended note creation by bots or humans through a simple GET call. See discussion in #754. Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
2021-01-22 16:47:47 +01:00
parent 3331c0947c
commit 497569fee4
5 changed files with 5 additions and 1 deletions
--- a/lib/web/note/util.js
+++ b/lib/web/note/util.js
@@ -52,7 +52,7 @@ exports.newNote = function (req, res, body) {
    return errors.errorForbidden(res)
  }
  if (noteId) {
-    if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId)) {
+    if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId) && (!config.requireFreeURLAuthentication || req.isAuthenticated())) {
      req.alias = noteId
    } else {
      return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res)