libretic/etherpad-lite
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Validate all 'author' attribs of incoming changesets to be the same value as the current user's authorId

Browse source
This commit is contained in:
Marcel Klehr 2013-03-13 22:23:35 +01:00
parent acb4b4ebaf
commit c30b0b72b8
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/node/handler/PadMessageHandler.js
View file

@ -550,11 +550,16 @@ function handleUserChanges(client, message)
throw "Attribute pool is missing attribute "+n+" for changeset "+changeset; throw "Attribute pool is missing attribute "+n+" for changeset "+changeset;
} }
}); });
// Validate all 'author' attribs to be the same value as the current user
wireApool.eachAttrib(function(type, value) {
if('author' == type && value != thisSession.author) throw "Trying to submit changes as another author"
})
} }
catch(e) catch(e)
{ {
// There is an error in this changeset, so just refuse it // There is an error in this changeset, so just refuse it
console.warn("Can't apply USER_CHANGES "+changeset+", because it failed checkRep"); console.warn("Can't apply USER_CHANGES "+changeset+", because: "+e);
client.json.send({disconnect:"badChangeset"}); client.json.send({disconnect:"badChangeset"});
return; return;
} }