chore: bump patch version; update changelog for v1.19.11

fix: prototype vulnerability in socket.io onMessage
fix: use admin:groups priv for groups (#10960 )
2025-12-29 11:50:36 +01:00 · 2022-11-28 10:05:09 -05:00 · 2022-11-28 09:00:53 -05:00 · 2022-10-12 12:52:00 -04:00
5 changed files with 34 additions and 15 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,20 @@
+#### v1.19.11 (2022-11-28)
+
+##### Chores
+
+*  up version, closes #10812 (a06c05c2)
+*  update composer-default (9fffce87)
+
+##### New Features
+
+*  store topic title and tags in diffs (#10900) (175d5342)
+
+##### Bug Fixes
+
+*  prototype vulnerability in socket.io onMessage (963bfff3)
+*  use admin:groups priv for groups (#10960) (65284c14)
+*  broken flag history on flag update (98be0420)
+
 #### v1.19.6 (2022-04-13)

 ##### Chores
--- a/install/package.json
+++ b/install/package.json
@@ -2,7 +2,7 @@
    "name": "nodebb",
    "license": "GPL-3.0",
    "description": "NodeBB Forum",
-    "version": "1.19.10",
+    "version": "1.19.11",
    "homepage": "http://www.nodebb.org",
    "repository": {
        "type": "git",
--- a/src/api/groups.js
+++ b/src/api/groups.js
@@ -215,14 +215,14 @@ async function isOwner(caller, groupName) {
 	if (typeof groupName !== 'string') {
 		throw new Error('[[error:invalid-group-name]]');
 	}
-	const [isAdmin, isGlobalModerator, isOwner, group] = await Promise.all([
-		user.isAdministrator(caller.uid),
+	const [hasAdminPrivilege, isGlobalModerator, isOwner, group] = await Promise.all([
+		privileges.admin.can('admin:groups', caller.uid),
 		user.isGlobalModerator(caller.uid),
 		groups.ownership.isOwner(caller.uid, groupName),
 		groups.getGroupData(groupName),
 	]);

-	const check = isOwner || isAdmin || (isGlobalModerator && !group.system);
+	const check = isOwner || hasAdminPrivilege || (isGlobalModerator && !group.system);
 	if (!check) {
 		throw new Error('[[error:no-privileges]]');
 	}
--- a/src/socket.io/groups.js
+++ b/src/socket.io/groups.js
@@ -42,13 +42,15 @@ async function isOwner(socket, data) {
 		throw new Error('[[error:invalid-group-name]]');
 	}
 	const results = await utils.promiseParallel({
-		isAdmin: await user.isAdministrator(socket.uid),
-		isGlobalModerator: await user.isGlobalModerator(socket.uid),
-		isOwner: await groups.ownership.isOwner(socket.uid, data.groupName),
-		group: await groups.getGroupData(data.groupName),
+		hasAdminPrivilege: privileges.admin.can('admin:groups', socket.uid),
+		isGlobalModerator: user.isGlobalModerator(socket.uid),
+		isOwner: groups.ownership.isOwner(socket.uid, data.groupName),
+		group: groups.getGroupData(data.groupName),
 	});

-	const isOwner = results.isOwner || results.isAdmin || (results.isGlobalModerator && !results.group.system);
+	const isOwner = results.isOwner ||
+		results.hasAdminPrivilege ||
+		(results.isGlobalModerator && !results.group.system);
 	if (!isOwner) {
 		throw new Error('[[error:no-privileges]]');
 	}
@@ -220,15 +222,15 @@ SocketGroups.loadMoreMembers = async (socket, data) => {
 };

 async function canSearchMembers(uid, groupName) {
-	const [isHidden, isMember, isAdmin, isGlobalMod, viewGroups] = await Promise.all([
+	const [isHidden, isMember, hasAdminPrivilege, isGlobalMod, viewGroups] = await Promise.all([
 		groups.isHidden(groupName),
 		groups.isMember(uid, groupName),
-		user.isAdministrator(uid),
+		privileges.admin.can('admin:groups', uid),
 		user.isGlobalModerator(uid),
 		privileges.global.can('view:groups', uid),
 	]);

-	if (!viewGroups || (isHidden && !isMember && !isAdmin && !isGlobalMod)) {
+	if (!viewGroups || (isHidden && !isMember && !hasAdminPrivilege && !isGlobalMod)) {
 		throw new Error('[[error:no-privileges]]');
 	}
 }
@@ -268,11 +270,11 @@ async function canModifyGroup(uid, groupName) {
 	const results = await utils.promiseParallel({
 		isOwner: groups.ownership.isOwner(uid, groupName),
 		system: groups.getGroupField(groupName, 'system'),
-		isAdmin: user.isAdministrator(uid),
+		hasAdminPrivilege: privileges.admin.can('admin:groups', uid),
 		isGlobalMod: user.isGlobalModerator(uid),
 	});

-	if (!(results.isOwner || results.isAdmin || (results.isGlobalMod && !results.system))) {
+	if (!(results.isOwner || results.hasAdminPrivilege || (results.isGlobalMod && !results.system))) {
 		throw new Error('[[error:no-privileges]]');
 	}
 }
--- a/src/socket.io/index.js
+++ b/src/socket.io/index.js
@@ -13,7 +13,7 @@ const logger = require('../logger');
 const plugins = require('../plugins');
 const ratelimit = require('../middleware/ratelimit');

-const Namespaces = {};
+const Namespaces = Object.create(null);

 const Sockets = module.exports;
Author	SHA1	Message	Date
Julian Lam	49a9b5c9e8	chore: bump patch version; update changelog for v1.19.11	2022-11-28 10:05:09 -05:00
Barış Soner Uşaklı	963bfff3ad	fix: prototype vulnerability in socket.io onMessage	2022-11-28 09:00:53 -05:00
Barış Soner Uşaklı	65284c142a	fix: use admin:groups priv for groups (#10960 )	2022-10-12 12:52:00 -04:00