From 83acf308e156830cec769a2f3bd28a5ef0843393 Mon Sep 17 00:00:00 2001
From: Kyle Drake <kyle@kyledrake.net>
Date: Fri, 2 Mar 2018 23:20:46 -0800
Subject: [PATCH] add safety check for which site to save to to make sure user
 hasn't switched users in another tab

---
 app/site_files.rb                | 22 +++++++++++++++++-----
 app_helpers.rb                   |  5 -----
 views/site_files/text_editor.erb |  9 +++++++--
 3 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/app/site_files.rb b/app/site_files.rb
index 70a62b75..b9a9253f 100644
--- a/app/site_files.rb
+++ b/app/site_files.rb
@@ -85,9 +85,14 @@ def file_upload_response(error=nil)
   end
 end
 
+def require_login_file_upload_ajax
+  file_upload_response 'You are not signed in!' unless signed_in?
+  file_upload_response 'Please contact support.' if banned?
+end
+
 post '/site_files/upload' do
   if params[:filename]
-    require_login_ajax
+    require_login_file_upload_ajax
     tempfile = Tempfile.new 'neocities_saving_file'
 
     input = request.body.read
@@ -106,6 +111,13 @@ post '/site_files/upload' do
     file_upload_response "Uploaded files were not seen by the server, cancelled. We don't know what's causing this yet. Please contact us so we can help fix it. Thanks!"
   end
 
+  # For migration from original design.. some pages out there won't have the site_id param yet for a while.
+  site = params[:site_id].nil? ? current_site : Site[params[:site_id]]
+
+  unless site.owned_by?(current_site)
+    file_upload_response 'You do not have permission to save this file. Did you sign in as a different user?'
+  end
+
   params[:files].each_with_index do |file,i|
     dir_name = ''
     dir_name = params[:dir] if params[:dir]
@@ -125,22 +137,22 @@ post '/site_files/upload' do
     if current_site.file_size_too_large? file[:tempfile].size
       file_upload_response "#{file[:filename]} is too large, upload cancelled."
     end
-    if !current_site.okay_to_upload? file
+    if !site.okay_to_upload? file
       file_upload_response %{#{Rack::Utils.escape_html file[:filename]}: file type (or content in file) is only supported by <a href="/supporter">supporter accounts</a>. <a href="/site_files/allowed_types">Why We Do This</a>}
     end
   end
 
   uploaded_size = params[:files].collect {|f| f[:tempfile].size}.inject{|sum,x| sum + x }
 
-  if current_site.file_size_too_large? uploaded_size
+  if site.file_size_too_large? uploaded_size
     file_upload_response "File(s) do not fit in your available free space, upload cancelled."
   end
 
-  if current_site.too_many_files? params[:files].length
+  if site.too_many_files? params[:files].length
     file_upload_response "Your site has exceeded the maximum number of files, please delete some files first."
   end
 
-  results = current_site.store_files params[:files]
+  results = site.store_files params[:files]
   file_upload_response
 end
 
diff --git a/app_helpers.rb b/app_helpers.rb
index 0327f3e9..2e9e6d59 100644
--- a/app_helpers.rb
+++ b/app_helpers.rb
@@ -2,11 +2,6 @@ def dashboard_if_signed_in
   redirect '/dashboard' if signed_in?
 end
 
-def require_login_ajax
-  halt 'You are not logged in!' unless signed_in?
-  halt 'Please contact support.' if banned?
-end
-
 def csrf_safe?
   csrf_token == params[:csrf_token] || csrf_token == request.env['HTTP_X_CSRF_TOKEN']
 end
diff --git a/views/site_files/text_editor.erb b/views/site_files/text_editor.erb
index f95300d6..35c439e6 100644
--- a/views/site_files/text_editor.erb
+++ b/views/site_files/text_editor.erb
@@ -120,14 +120,19 @@
     if(unsavedChanges == false)
       return
     $.ajax({
-      url: "/site_files/upload?csrf_token=<%= Rack::Utils.escape csrf_token %>&filename=<%= Rack::Utils.escape @filename %>",
+      url: "/site_files/upload?csrf_token=<%= Rack::Utils.escape csrf_token %>&filename=<%= Rack::Utils.escape @filename %>&site_id=<%= current_site.id %>",
       data: editor.getValue(),
       processData: false,
       contentType: false,
       type: 'POST',
       error: function(jqXHR, textStatus, errorThrown) {
+        var errorMessage = 'There has been an error saving your file, please try again. If it continues to fail, make a copy of the file locally so you don\'t lose your changes!'
+
+        if(jqXHR.responseText)
+          errorMessage += ' ERROR MESSAGE: '+jqXHR.responseText
+
         $('#saveButton').tooltip('show')
-        $('#editorUpdates span').text('There has been an error saving your file, please try again. If it continues to fail, make a copy of the file locally so you don\'t lose your changes!')
+        $('#editorUpdates span').text(errorMessage)
         $('#editorUpdates').fadeIn()
         $('#editorUpdates').removeClass('hidden')
       },