Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-02-26 16:41:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: don't allow joining topic_<tid> & category_<cid>

Browse Source 
socket.io rooms if you don't have relevant privileges
This commit is contained in:
Barış Soner Uşaklı
2024-08-02 16:09:35 -04:00
parent ac644ac286
commit 503a97e520
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/socket.io/meta.js
View File

@@ -5,6 +5,7 @@ const os = require('os');
const user = require('../user'); const user = require('../user');
const meta = require('../meta'); const meta = require('../meta');
const topics = require('../topics'); const topics = require('../topics');
const privileges = require('../privileges');
const SocketMeta = module.exports; const SocketMeta = module.exports;
SocketMeta.rooms = {}; SocketMeta.rooms = {};
@@ -44,6 +45,20 @@ SocketMeta.rooms.enter = async function (socket, data) {
throw new Error('[[error:not-allowed]]'); throw new Error('[[error:not-allowed]]');
} }
if (data.enter && data.enter.startsWith('topic_')) {
const tid = data.enter.split('_').pop();
if (!await privileges.topics.can('topics:read', tid, socket.uid)) {
throw new Error('[[error:no-privileges]]');
}
}
if (data.enter && data.enter.startsWith('category_')) {
const cid = data.enter.split('_').pop();
if (!await privileges.categories.can('read', cid, socket.uid)) {
throw new Error('[[error:no-privileges]]');
}
}
leaveCurrentRoom(socket); leaveCurrentRoom(socket);
if (data.enter) { if (data.enter) {