From 259fe626bd79befe4ae82747b61f6ba0e92511f7 Mon Sep 17 00:00:00 2001
From: Martii <martii@users.noreply.github.com>
Date: Sat, 27 Jul 2019 05:09:40 -0600
Subject: [PATCH] Some validation of existence of OUJS accounts for
 collaboration

* This has resurfaced with another Author misunderstanding collaboration and potentially opening up a security hole with their script being edited by others. So at least we can check to see if the account(s) currently exists. They are still responsible for any unauthorized edits if they type the incorrect existing username.
* Also fixes a feature with unhandled casing... probably best to leave it exact unlike URLs to user homepages. Really don't need different casings floating around in these labels i.e. symmetry.

Post #285
---
 controllers/scriptStorage.js | 69 +++++++++++++++++++++++++++++++++++-
 1 file changed, 68 insertions(+), 1 deletion(-)

diff --git a/controllers/scriptStorage.js b/controllers/scriptStorage.js
index 4b8887cfb..be9d6ec09 100644
--- a/controllers/scriptStorage.js
+++ b/controllers/scriptStorage.js
@@ -1721,8 +1721,75 @@ exports.storeScript = function (aUser, aMeta, aBuf, aUpdate, aCallback) {
       }
 
       aInnerCallback(null);
-    }
+    },
+    function (aInnerCallback) {
+      // OpenUserJS `@author` validations
+      var author = null;
+
+      author = findMeta(aMeta, 'OpenUserJS.author.0.value');
+
+      if (author) {
+        User.findOne({
+          name: author
+        }, function (aErr, aUser) {
+          if (aErr) {
+            aInnerCallback(new statusError({
+              message: 'DB error finding `@author` in OpenUserJS block',
+              code: 500
+            }), null);
+            return;
+          }
+
+          if (!aUser) {
+            aInnerCallback(new statusError({
+              message: '`@author ' + author +
+                '` in OpenUserJS block does not exist or is incorrectly cased.',
+              code: 400
+            }), null);
+            return;
+          }
+
+          aInnerCallback(null);
+        });
+      } else {
+        aInnerCallback(null);
+      }
+    },
+    function (aOuterCallback) {
+      // OpenUserJS block `@collaborator` validations
+      var collaborators = null;
+
+      collaborators = findMeta(aMeta, 'OpenUserJS.collaborator.value');
+      if (collaborators) {
+        async.eachSeries(collaborators, function (aCollaborator, aInnerCallback) {
+          User.findOne({
+            name: aCollaborator
+          }, function (aErr, aUser) {
+            if (aErr) {
+              aOuterCallback(new statusError({
+                message: 'DB error finding `@collaborator` ' +
+                  aCollaborator + ' in OpenUserJS block',
+                code: 500
+              }), null);
+              return;
+            }
 
+            if (!aUser) {
+              aOuterCallback(new statusError({
+                message: '`@collaborator ' + aCollaborator +
+                  '` in OpenUserJS block does not exist or is incorrectly cased',
+                code: 400
+              }), null);
+              return;
+            }
+
+            aInnerCallback();
+          });
+        }, aOuterCallback);
+      } else {
+        aOuterCallback(null);
+      }
+    }
 
   ], function (aErr, aResults) {
     var author = null;