5 yıl önce · 4c2438c41e
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,5 +1,10 @@
 
				 # CHANGES
			
 
				 
			
 
				+## v4.1.10
			
 
				+
			
 
				+* Fix: Make listing users API secure
			
 
				+* Fix: Error message when the server denies guest user connecting with socket.io
			
 
				+
			
 
				 ## v4.1.9
			
 
				 
			
 
				 * Feature: Environment variables to set max connection size to deliver push messages to all clients
			
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 
				 {
			
 
				   "name": "growi",
			
 
				-  "version": "4.1.9-RC",
			
 
				+  "version": "4.1.10-RC",
			
 
				   "description": "Team collaboration software using markdown",
			
 
				   "tags": [
			
 
				     "wiki",
			
--- a/src/server/middlewares/login-required.js
+++ b/src/server/middlewares/login-required.js
@@ -47,13 +47,13 @@ module.exports = (crowi, isGuestAllowed = false, fallback = null) => {
 
				     const path = req.path || '';
			
 
				     if (path.match(/^\/_api\/.+$/)) {
			
 
				       if (fallback != null) {
			
 
				-        return fallback(req, res);
			
 
				+        return fallback(req, res, next);
			
 
				       }
			
 
				       return res.sendStatus(403);
			
 
				     }
			
 
				 
			
 
				     if (fallback != null) {
			
 
				-      return fallback(req, res);
			
 
				+      return fallback(req, res, next);
			
 
				     }
			
 
				     req.session.redirectTo = req.originalUrl;
			
 
				     return res.redirect('/login');
			
--- a/src/server/routes/apiv3/users.js
+++ b/src/server/routes/apiv3/users.js
@@ -152,7 +152,7 @@ module.exports = (crowi) => {
 
				    *                      $ref: '#/components/schemas/PaginateResult'
			
 
				    */
			
 
				 
			
 
				-  router.get('/', validator.statusList, apiV3FormValidator, async(req, res) => {
			
 
				+  router.get('/', loginRequiredStrictly, validator.statusList, apiV3FormValidator, async(req, res) => {
			
 
				 
			
 
				     const page = parseInt(req.query.page) || 1;
			
 
				     // status
			
--- a/src/test/middlewares/login-required.test.js
+++ b/src/test/middlewares/login-required.test.js
@@ -228,7 +228,7 @@ describe('loginRequired', () => {
 
				       expect(res.redirect).not.toHaveBeenCalled();
			
 
				       expect(res.sendStatus).not.toHaveBeenCalled();
			
 
				       expect(fallbackMock).toHaveBeenCalledTimes(1);
			
 
				-      expect(fallbackMock).toHaveBeenCalledWith(req, res);
			
 
				+      expect(fallbackMock).toHaveBeenCalledWith(req, res, next);
			
 
				       expect(result).toBe('fallback');
			
 
				     });
			
 
				 
			
@@ -242,7 +242,7 @@ describe('loginRequired', () => {
 
				       expect(res.sendStatus).not.toHaveBeenCalled();
			
 
				       expect(res.redirect).not.toHaveBeenCalled();
			
 
				       expect(fallbackMock).toHaveBeenCalledTimes(1);
			
 
				-      expect(fallbackMock).toHaveBeenCalledWith(req, res);
			
 
				+      expect(fallbackMock).toHaveBeenCalledWith(req, res, next);
			
 
				       expect(result).toBe('fallback');
			
 
				     });