Maintain panel phrase security boundaries.

2019-07-12 08:09:05 +10:00 · 2019-07-12 08:09:05 +10:00 · 7bbaa3050c
parent 533c4ca56a
commit 7bbaa3050c
1 changed files with 10 additions and 6 deletions
--- a/routes.go
+++ b/routes.go
@ -237,17 +237,21 @@ func routeAPIPhrases(w http.ResponseWriter, r *http.Request, user c.User) c.Rout
 	}

 	var plist map[string]string
-	var notModified = false
+	var notModified, private bool
 	var posLoop = func(positive string) c.RouteError {
 		// ! Constrain it to a subset of phrases for now
 		for _, item := range phraseWhitelist {
 			if strings.HasPrefix(positive, item) {
 				// TODO: Break this down into smaller security boundaries based on control panel sections?
+				// TODO: Do we have to be so strict with panel phrases?
 				if strings.HasPrefix(positive, "panel") {
-					w.Header().Set("Cache-Control", "private")
+					private = true
 					ok = user.IsSuperMod
 				} else {
 					ok = true
+					if notModified {
+						return nil
+					}
 					w.Header().Set("ETag", etag)
 					match := r.Header.Get("If-None-Match")
 					if match != "" && strings.Contains(match, etag) {
@ -272,9 +276,6 @@ func routeAPIPhrases(w http.ResponseWriter, r *http.Request, user c.User) c.Rout
 			if rerr != nil {
 				return rerr
 			}
-			if notModified {
-				break
-			}
 			pPhrases, ok := phrases.GetTmplPhrasesByPrefix(positive)
 			if !ok {
 				return c.PreErrorJS("No such prefix", w, r)
@ -294,7 +295,10 @@ func routeAPIPhrases(w http.ResponseWriter, r *http.Request, user c.User) c.Rout
 		}
 		plist = pPhrases
 	}
-	if notModified {
+
+	if private {
+		w.Header().Set("Cache-Control", "private")
+	} else if notModified {
 		w.WriteHeader(http.StatusNotModified)
 		return nil
 	}