Properly check if content can be embedded (#375)

neuroanatomy · Dec 29, 2023 · 271f6fc · 271f6fc
1 parent b1599e4
commit 271f6fc
Showing 1 changed file with 17 additions and 6 deletions.
diff --git a/controller/project/project.controller.js b/controller/project/project.controller.js
@@ -712,25 +712,36 @@ const deleteProject = async function (req, res) {
   }
 };
 
+// eslint-disable-next-line max-statements
 const embed = async function (req, res) {
   let loggedUser = 'anonymous';
   if (req.isAuthenticated()) {
     loggedUser = req.user.username;
   }
 
-  const refererURL = new URL(req.headers.referer);
-  const disallowedDomains = req.user.authorizedHostsForEmbedding.split('\n') || [];
-  if (disallowedDomains.include(refererURL.host)) {
-    return res.status(403).send('Not authorized to embed this project');
-  }
-
   const json = await req.db.get('project').findOne({ shortname: req.params.projectName, backup: { $exists: 0 } });
   if (json) {
     if (!AccessControlService.hasFilesAccess(AccessLevel.VIEW, json, loggedUser)) {
       res.status(401).send('Authorization required');
 
       return;
     }
+
+    const {referer} = req.headers;
+    let disallowedDomains;
+    let isEmbeddingDisallowed = true;
+
+    if (referer) {
+      const refererURL = new URL(req.headers.referer);
+      const user = await req.db.get('user').findOne({ nickname: json.owner });
+      disallowedDomains = user.authorizedHostsForEmbedding ? user.authorizedHostsForEmbedding.split('\n') : [];
+      isEmbeddingDisallowed = disallowedDomains.includes(refererURL.host);
+    }
+
+    if (isEmbeddingDisallowed) {
+      return res.status(403).send('Not authorized to embed this project');
+    }
+
     json.files.list = [];
     res.render('embed', {
       projectInfo: JSON.stringify(json),