mirror of
				https://github.com/NodeBB/NodeBB.git
				synced 2025-10-26 16:46:12 +01:00 
			
		
		
		
	fix: restrict the ability to make a remote user a chat room owner
re: #12834
This commit is contained in:
		| @@ -112,10 +112,14 @@ define('forum/chats/manage', [ | ||||
|  | ||||
| 	function addToggleOwnerHandler(roomId, modal) { | ||||
| 		modal.on('click', '[data-action="toggleOwner"]', async function () { | ||||
| 			const uid = parseInt(this.getAttribute('data-uid'), 10); | ||||
| 			const uid = String(this.getAttribute('data-uid')); | ||||
| 			const iconEl = modal.get(0).querySelector(`[component="chat/manage/user/list"] > [data-uid="${uid}"] [component="chat/manage/user/owner/icon"]`); | ||||
| 			const current = !iconEl.classList.contains('hidden'); | ||||
|  | ||||
| 			if (!utils.isNumber(uid)) { | ||||
| 				return alerts.error('[[error:invalid-uid]]'); | ||||
| 			} | ||||
|  | ||||
| 			await api[current ? 'del' : 'put'](`/chats/${roomId}/owners/${uid}`); | ||||
| 			iconEl.classList.toggle('hidden'); | ||||
| 		}); | ||||
|   | ||||
| @@ -253,7 +253,7 @@ chatsAPI.users = async (caller, data) => { | ||||
| 	users.forEach((user) => { | ||||
| 		const isSelf = parseInt(user.uid, 10) === parseInt(caller.uid, 10); | ||||
| 		user.canKick = isOwner && !isSelf; | ||||
| 		user.canToggleOwner = (isAdmin || isOwner) && !isSelf; | ||||
| 		user.canToggleOwner = utils.isNumber(user.uid) && (isAdmin || isOwner) && !isSelf; | ||||
| 		user.online = parseInt(user.uid, 10) === parseInt(caller.uid, 10) || onlineUids.includes(String(user.uid)); | ||||
| 	}); | ||||
| 	return { users }; | ||||
|   | ||||
| @@ -2,6 +2,7 @@ | ||||
|  | ||||
| const db = require('../database'); | ||||
| const plugins = require('../plugins'); | ||||
| const utils = require('../utils'); | ||||
|  | ||||
| module.exports = function (Groups) { | ||||
| 	Groups.ownership = {}; | ||||
| @@ -22,11 +23,19 @@ module.exports = function (Groups) { | ||||
| 	}; | ||||
|  | ||||
| 	Groups.ownership.grant = async function (toUid, groupName) { | ||||
| 		if (!utils.isNumber(toUid)) { | ||||
| 			throw new Error('[[error:invalid-uid]]'); | ||||
| 		} | ||||
|  | ||||
| 		await db.setAdd(`group:${groupName}:owners`, toUid); | ||||
| 		plugins.hooks.fire('action:group.grantOwnership', { uid: toUid, groupName: groupName }); | ||||
| 	}; | ||||
|  | ||||
| 	Groups.ownership.rescind = async function (toUid, groupName) { | ||||
| 		if (!utils.isNumber(toUid)) { | ||||
| 			throw new Error('[[error:invalid-uid]]'); | ||||
| 		} | ||||
|  | ||||
| 		// If the owners set only contains one member (and toUid is that member), error out! | ||||
| 		const [numOwners, isOwner] = await Promise.all([ | ||||
| 			db.setCount(`group:${groupName}:owners`), | ||||
|   | ||||
		Reference in New Issue
	
	Block a user