From 7a765018f29972563a4879389ef708ff2ce7e345 Mon Sep 17 00:00:00 2001 From: Lawrence Elitzer <5624305+elitzer2@users.noreply.github.com> Date: Sat, 29 Aug 2020 07:30:06 -0500 Subject: [PATCH 1/3] Fix subscription widget --- server/routes/subscription.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/server/routes/subscription.js b/server/routes/subscription.js index 36b2d1f8..99542bec 100644 --- a/server/routes/subscription.js +++ b/server/routes/subscription.js @@ -281,6 +281,9 @@ router.postAsync('/:cid/subscribe', passport.parseForm, corsOrCsrfProtection, as if (existingSubscription && existingSubscription.status === SubscriptionStatus.SUBSCRIBED) { await mailHelpers.sendAlreadySubscribed(req.locale, list, email, existingSubscription); + if (req.xhr) { + throw new Error(tUI('listEmailAddressAlreadyRegistered', req.locale, {list: list.name})); + } res.redirect('/subscription/' + encodeURIComponent(req.params.cid) + '/confirm-subscription-notice'); } else { @@ -325,7 +328,7 @@ router.getAsync('/:cid/widget', cors(corsOptions), async (req, res) => { title: list.name, cid: list.cid, publicKeyUrl: getTrustedUrl('subscription/publickey'), - subscribeUrl: getTrustedUrl(`subscription/${list.cid}/subscribe`), + subscribeUrl: getPublicUrl(`subscription/${list.cid}/subscribe`), hasPubkey: !!configItems.pgpPrivateKey, customFields: await fields.forHbs(contextHelpers.getAdminContext(), list.id), template: {}, From e3c11476fbcd5b20f089e8dbbb06416353206e5a Mon Sep 17 00:00:00 2001 From: Lawrence Elitzer <5624305+elitzer2@users.noreply.github.com> Date: Sat, 29 Aug 2020 09:04:59 -0500 Subject: [PATCH 2/3] Add template rendering to widget --- server/routes/subscription.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/server/routes/subscription.js b/server/routes/subscription.js index 99542bec..7446580f 100644 --- a/server/routes/subscription.js +++ b/server/routes/subscription.js @@ -331,14 +331,15 @@ router.getAsync('/:cid/widget', cors(corsOptions), async (req, res) => { subscribeUrl: getPublicUrl(`subscription/${list.cid}/subscribe`), hasPubkey: !!configItems.pgpPrivateKey, customFields: await fields.forHbs(contextHelpers.getAdminContext(), list.id), - template: {}, + template: 'subscription/widget-subscribe.hbs', layout: null, }; await injectCustomFormData(req.query.fid || list.default_form, 'web_subscribe', data); - const renderAsync = bluebird.promisify(res.render.bind(res)); - const html = await renderAsync('subscription/widget-subscribe', data); + const htmlRenderer = await tools.getTemplate(data.template, req.locale); + + const html = htmlRenderer(data); const response = { data: { From 43837210edab64e804409539f590652065313014 Mon Sep 17 00:00:00 2001 From: Lawrence Elitzer <5624305+elitzer2@users.noreply.github.com> Date: Sun, 30 Aug 2020 00:48:33 -0500 Subject: [PATCH 3/3] Don't reveal to the API the list of subscribers --- server/routes/subscription.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/server/routes/subscription.js b/server/routes/subscription.js index 7446580f..bbcc1ac5 100644 --- a/server/routes/subscription.js +++ b/server/routes/subscription.js @@ -282,7 +282,9 @@ router.postAsync('/:cid/subscribe', passport.parseForm, corsOrCsrfProtection, as if (existingSubscription && existingSubscription.status === SubscriptionStatus.SUBSCRIBED) { await mailHelpers.sendAlreadySubscribed(req.locale, list, email, existingSubscription); if (req.xhr) { - throw new Error(tUI('listEmailAddressAlreadyRegistered', req.locale, {list: list.name})); + return res.status(200).json({ + msg: tUI('pleaseConfirmSubscription', req.locale) + }); } res.redirect('/subscription/' + encodeURIComponent(req.params.cid) + '/confirm-subscription-notice');