From be01417cdfe69eae93c671a7b1df12471cd2a67c Mon Sep 17 00:00:00 2001 From: rainbow napkin Date: Thu, 6 Nov 2025 19:01:22 -0500 Subject: [PATCH] Updated vague DB query which could lead to pwned accounts --- README.md | 2 +- src/controllers/api/account/deleteController.js | 2 +- src/controllers/api/account/updateController.js | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d04e2ca..9902977 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Canopy -0.4-INDEV Hotfix 1 +0.4-INDEV Hotfix 2 ========= Canopy - /ˈkæ.nə.pi/: diff --git a/src/controllers/api/account/deleteController.js b/src/controllers/api/account/deleteController.js index 94b9cdf..af70cbd 100644 --- a/src/controllers/api/account/deleteController.js +++ b/src/controllers/api/account/deleteController.js @@ -38,7 +38,7 @@ module.exports.post = async function(req, res){ return res.send('Invalid Session! Cannot delete account while logged out!'); } - const userDB = await userModel.findOne(user); + const userDB = await userModel.findOne({user: user.user}); if(!userDB){ diff --git a/src/controllers/api/account/updateController.js b/src/controllers/api/account/updateController.js index befca96..3a04355 100644 --- a/src/controllers/api/account/updateController.js +++ b/src/controllers/api/account/updateController.js @@ -46,7 +46,7 @@ module.exports.post = async function(req, res){ const {field, change} = data; const {user} = req.session; - const userDB = await userModel.findOne(user); + const userDB = await userModel.findOne({user: user.user}); const update = {};