add safety check for which site to save to to make sure user hasn't switched users in another tab

app/site_files.rb

@@ -85,9 +85,14 @@ def file_upload_response(error=nil)
   end
 end
 
+def require_login_file_upload_ajax
+  file_upload_response 'You are not signed in!' unless signed_in?
+  file_upload_response 'Please contact support.' if banned?
+end
+
 post '/site_files/upload' do
   if params[:filename]
-    require_login_ajax
+    require_login_file_upload_ajax
     tempfile = Tempfile.new 'neocities_saving_file'
 
     input = request.body.read
@@ -106,6 +111,13 @@ post '/site_files/upload' do
     file_upload_response "Uploaded files were not seen by the server, cancelled. We don't know what's causing this yet. Please contact us so we can help fix it. Thanks!"
   end
 
+  # For migration from original design.. some pages out there won't have the site_id param yet for a while.
+  site = params[:site_id].nil? ? current_site : Site[params[:site_id]]
+
+  unless site.owned_by?(current_site)
+    file_upload_response 'You do not have permission to save this file. Did you sign in as a different user?'
+  end
+
   params[:files].each_with_index do |file,i|
     dir_name = ''
     dir_name = params[:dir] if params[:dir]
@@ -125,22 +137,22 @@ post '/site_files/upload' do
     if current_site.file_size_too_large? file[:tempfile].size
       file_upload_response "#{file[:filename]} is too large, upload cancelled."
     end
-    if !current_site.okay_to_upload? file
+    if !site.okay_to_upload? file
       file_upload_response %{#{Rack::Utils.escape_html file[:filename]}: file type (or content in file) is only supported by <a href="/supporter">supporter accounts</a>. <a href="/site_files/allowed_types">Why We Do This</a>}
     end
   end
 
   uploaded_size = params[:files].collect {|f| f[:tempfile].size}.inject{|sum,x| sum + x }
 
-  if current_site.file_size_too_large? uploaded_size
+  if site.file_size_too_large? uploaded_size
     file_upload_response "File(s) do not fit in your available free space, upload cancelled."
   end
 
-  if current_site.too_many_files? params[:files].length
+  if site.too_many_files? params[:files].length
     file_upload_response "Your site has exceeded the maximum number of files, please delete some files first."
   end
 
-  results = current_site.store_files params[:files]
+  results = site.store_files params[:files]
   file_upload_response
 end
 

app_helpers.rb

@@ -2,11 +2,6 @@ def dashboard_if_signed_in
   redirect '/dashboard' if signed_in?
 end
 
-def require_login_ajax
-  halt 'You are not logged in!' unless signed_in?
-  halt 'Please contact support.' if banned?
-end
-
 def csrf_safe?
   csrf_token == params[:csrf_token] || csrf_token == request.env['HTTP_X_CSRF_TOKEN']
 end

views/site_files/text_editor.erb

@@ -120,14 +120,19 @@
     if(unsavedChanges == false)
       return
     $.ajax({
-      url: "/site_files/upload?csrf_token=<%= Rack::Utils.escape csrf_token %>&filename=<%= Rack::Utils.escape @filename %>",
+      url: "/site_files/upload?csrf_token=<%= Rack::Utils.escape csrf_token %>&filename=<%= Rack::Utils.escape @filename %>&site_id=<%= current_site.id %>",
       data: editor.getValue(),
       processData: false,
       contentType: false,
       type: 'POST',
       error: function(jqXHR, textStatus, errorThrown) {
+        var errorMessage = 'There has been an error saving your file, please try again. If it continues to fail, make a copy of the file locally so you don\'t lose your changes!'
+
+        if(jqXHR.responseText)
+          errorMessage += ' ERROR MESSAGE: '+jqXHR.responseText
+
         $('#saveButton').tooltip('show')
-        $('#editorUpdates span').text('There has been an error saving your file, please try again. If it continues to fail, make a copy of the file locally so you don\'t lose your changes!')
+        $('#editorUpdates span').text(errorMessage)
         $('#editorUpdates').fadeIn()
         $('#editorUpdates').removeClass('hidden')
       },