Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: disallow editing of other users' notes

Browse Source 
Feel free to close this if it is intentional, but as you are not allowed to delete other users notes I expect you shouldn't be able to edit them. Editing another users post also changes ownership, allowing you to then delete it.

I also added `error:` to the errormessage so that they display properly.
This commit is contained in:
Mats
2021-06-01 13:36:35 +02:00
committed by Julian Lam
parent ca72aa93d7
commit edcba61aa9
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/socket.io/flags.js
View File

@@ -51,8 +51,16 @@ SocketFlags.appendNote = async function (socket, data) {
const allowed = await user.isPrivileged(socket.uid); const allowed = await user.isPrivileged(socket.uid);
if (!allowed) { if (!allowed) {
throw new Error('[[no-privileges]]'); throw new Error('[[error:no-privileges]]');
} }
if (data.datetime && data.flagId) {
const note = await flags.getNote(data.flagId, data.datetime);
if (note.uid !== socket.uid) {
throw new Error('[[error:no-privileges]]'));
}
}
await flags.appendNote(data.flagId, socket.uid, data.note, data.datetime); await flags.appendNote(data.flagId, socket.uid, data.note, data.datetime);
const [notes, history] = await Promise.all([ const [notes, history] = await Promise.all([