fix: restrict the ability to make a remote user a chat room owner

re: #12834
2025-10-26 08:36:12 +01:00 · 2024-10-04 15:01:15 -04:00
parent f512901778
commit b610b520e9
3 changed files with 15 additions and 2 deletions
--- a/public/src/client/chats/manage.js
+++ b/public/src/client/chats/manage.js
@@ -112,10 +112,14 @@ define('forum/chats/manage', [

 	function addToggleOwnerHandler(roomId, modal) {
 		modal.on('click', '[data-action="toggleOwner"]', async function () {
-			const uid = parseInt(this.getAttribute('data-uid'), 10);
+			const uid = String(this.getAttribute('data-uid'));
 			const iconEl = modal.get(0).querySelector(`[component="chat/manage/user/list"] > [data-uid="${uid}"] [component="chat/manage/user/owner/icon"]`);
 			const current = !iconEl.classList.contains('hidden');

+			if (!utils.isNumber(uid)) {
+				return alerts.error('[[error:invalid-uid]]');
+			}
+
 			await api[current ? 'del' : 'put'](`/chats/${roomId}/owners/${uid}`);
 			iconEl.classList.toggle('hidden');
 		});
--- a/src/api/chats.js
+++ b/src/api/chats.js
@@ -253,7 +253,7 @@ chatsAPI.users = async (caller, data) => {
 	users.forEach((user) => {
 		const isSelf = parseInt(user.uid, 10) === parseInt(caller.uid, 10);
 		user.canKick = isOwner && !isSelf;
-		user.canToggleOwner = (isAdmin || isOwner) && !isSelf;
+		user.canToggleOwner = utils.isNumber(user.uid) && (isAdmin || isOwner) && !isSelf;
 		user.online = parseInt(user.uid, 10) === parseInt(caller.uid, 10) || onlineUids.includes(String(user.uid));
 	});
 	return { users };
--- a/src/groups/ownership.js
+++ b/src/groups/ownership.js
@@ -2,6 +2,7 @@

 const db = require('../database');
 const plugins = require('../plugins');
+const utils = require('../utils');

 module.exports = function (Groups) {
 	Groups.ownership = {};
@@ -22,11 +23,19 @@ module.exports = function (Groups) {
 	};

 	Groups.ownership.grant = async function (toUid, groupName) {
+		if (!utils.isNumber(toUid)) {
+			throw new Error('[[error:invalid-uid]]');
+		}
+
 		await db.setAdd(`group:${groupName}:owners`, toUid);
 		plugins.hooks.fire('action:group.grantOwnership', { uid: toUid, groupName: groupName });
 	};

 	Groups.ownership.rescind = async function (toUid, groupName) {
+		if (!utils.isNumber(toUid)) {
+			throw new Error('[[error:invalid-uid]]');
+		}
+
 		// If the owners set only contains one member (and toUid is that member), error out!
 		const [numOwners, isOwner] = await Promise.all([
 			db.setCount(`group:${groupName}:owners`),