From b0819659baf18853fd0ef6616f44ed0afe20f558 Mon Sep 17 00:00:00 2001
From: Chris Brame <polonel@gmail.com>
Date: Tue, 16 Oct 2018 23:34:18 -0400
Subject: [PATCH] fix(assets): security fix

---
 src/middleware/index.js | 5 ++---
 src/webserver.js        | 3 +++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/middleware/index.js b/src/middleware/index.js
index d7164798d..6bba96588 100644
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -98,9 +98,8 @@ module.exports = function(app, db, callback) {
             //Mobile
             app.use('/mobile', express.static(path.join(__dirname, '../../', 'mobile')));
 
-            app.use('/uploads/tickets', middleware.redirectToLogin, express.static(path.resolve(__dirname, '/public/uploads/tickets')));
-            app.use('/uploads/users', middleware.redirectToLogin, express.static(path.resolve(__dirname, '/public/uploads/users')));
-            
+            app.use('/uploads', middleware.redirectToLogin, express.static(path.resolve(__dirname, '/public/uploads')));
+
             app.use(express.static(path.join(__dirname, '../../', 'public')));
 
             //Remove to enable plugins
diff --git a/src/webserver.js b/src/webserver.js
index ac491b400..36f203b52 100644
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -96,6 +96,9 @@ var async   = require('async'),
         app.set('view engine', 'hbs');
         hbsHelpers.register(hbs.handlebars);
 
+        // Prevent unauth from uploads
+        app.use('/uploads', middleware.redirectToLogin, express.static(path.resolve(__dirname, '/public/uploads')));
+
         app.use(express.static(path.join(__dirname, '../', 'public')));
         app.use(favicon(path.join(__dirname, '../', 'public/img/favicon.ico')));
         app.use(bodyParser.urlencoded({ extended: false }));