From 4eabf41a21f949d63e9908c6e29f97cd75bf8ecb Mon Sep 17 00:00:00 2001
From: barisusakli <barisusakli@gmail.com>
Date: Wed, 24 Sep 2014 13:36:32 -0400
Subject: [PATCH] dont allow invalid status to be set

---
 src/socket.io/user.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/socket.io/user.js b/src/socket.io/user.js
index 88273f8709..0b34551d08 100644
--- a/src/socket.io/user.js
+++ b/src/socket.io/user.js
@@ -350,6 +350,11 @@ SocketUser.setStatus = function(socket, status, callback) {
 	if (!socket.uid) {
 		return callback(new Error('[[invalid-uid]]'));
 	}
+
+	var allowedStatus = ['online', 'offline', 'dnd', 'away'];
+	if (allowedStatus.indexOf(status) === -1) {
+		return callback(new Error('[[invalid-user-status]]'));
+	}
 	user.setUserField(socket.uid, 'status', status, function(err) {
 		if (err) {
 			return callback(err);