fix: #7901, handle group names that are translation keys

6 years ago · 3455c27a8d
parent c5ffd8cc74
commit 3455c27a8d
4 changed files with 15 additions and 3 deletions
--- a/src/privileges/helpers.js
+++ b/src/privileges/helpers.js
@ -2,10 +2,12 @@
 'use strict';

 const _ = require('lodash');
+const validator = require('validator');

 const groups = require('../groups');
 const user = require('../user');
 const plugins = require('../plugins');
+const translator = require('../translator');

 const helpers = module.exports;

@ -126,7 +128,8 @@ helpers.getGroupPrivileges = async function (cid, hookName, groupPrivilegeList)
 			memberPrivs[groupPrivileges[x]] = memberSets[x].includes(member);
 		}
 		return {
-			name: member,
+			name: validator.escape(member),
+			nameEscaped: translator.escape(validator.escape(member)),
 			privileges: memberPrivs,
 			isPrivate: groupData[index] && !!groupData[index].private,
 		};
--- a/src/socket.io/admin/categories.js
+++ b/src/socket.io/admin/categories.js
@ -1,6 +1,7 @@
 'use strict';

 const groups = require('../../groups');
+const user = require('../../user');
 const categories = require('../../categories');
 const privileges = require('../../privileges');
 const plugins = require('../../plugins');
@ -51,6 +52,14 @@ Categories.setPrivilege = async function (socket, data) {
 	if (!data) {
 		throw new Error('[[error:invalid-data]]');
 	}
+	const [userExists, groupExists] = await Promise.all([
+		user.exists(data.member),
+		groups.exists(data.member),
+	]);
+
+	if (!userExists && !groupExists) {
+		throw new Error('[[error:no-user-or-group]]');
+	}

 	if (Array.isArray(data.privilege)) {
 		await Promise.all(data.privilege.map(privilege => groups[data.set ? 'join' : 'leave']('cid:' + data.cid + ':privileges:' + privilege, data.member)));
--- a/src/views/admin/partials/categories/privileges.tpl
+++ b/src/views/admin/partials/categories/privileges.tpl
@ -27,7 +27,7 @@
 						</thead>
 						<tbody>
 							<!-- BEGIN privileges.groups -->
-							<tr data-group-name="{privileges.groups.name}" data-private="<!-- IF privileges.groups.isPrivate -->1<!-- ELSE -->0<!-- ENDIF privileges.groups.isPrivate -->">
+							<tr data-group-name="{privileges.groups.nameEscaped}" data-private="<!-- IF privileges.groups.isPrivate -->1<!-- ELSE -->0<!-- ENDIF privileges.groups.isPrivate -->">
 								<td>
 									<!-- IF privileges.groups.isPrivate -->
 									<i class="fa fa-lock text-muted" title="[[admin/manage/categories:privileges.group-private]]"></i>
--- a/src/views/admin/partials/global/privileges.tpl
+++ b/src/views/admin/partials/global/privileges.tpl
@ -13,7 +13,7 @@
 						</thead>
 						<tbody>
 							<!-- BEGIN privileges.groups -->
-							<tr data-group-name="{privileges.groups.name}" data-private="<!-- IF privileges.groups.isPrivate -->1<!-- ELSE -->0<!-- ENDIF privileges.groups.isPrivate -->">
+							<tr data-group-name="{privileges.groups.nameEscaped}" data-private="<!-- IF privileges.groups.isPrivate -->1<!-- ELSE -->0<!-- ENDIF privileges.groups.isPrivate -->">
 								<td>
 									<!-- IF privileges.groups.isPrivate -->
 									<i class="fa fa-lock text-muted" title="[[admin/manage/categories:privileges.group-private]]"></i>