From 53106c009c39e38bdd93089ba65f28744252c03c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?= Date: Mon, 11 Sep 2023 10:20:10 -0400 Subject: [PATCH] fix: toMid to posts you cant see --- src/messaging/create.js | 9 ++++++-- src/messaging/data.js | 3 +++ test/messaging.js | 51 +++++++++++++++++++++++++++++++++++++++-- 3 files changed, 59 insertions(+), 4 deletions(-) diff --git a/src/messaging/create.js b/src/messaging/create.js index 81da98d0d6..f40002b801 100644 --- a/src/messaging/create.js +++ b/src/messaging/create.js @@ -42,8 +42,13 @@ module.exports = function (Messaging) { if (!roomData) { throw new Error('[[error:no-room]]'); } - if (data.toMid && !utils.isNumber(data.toMid)) { - throw new Error('[[error:invalid-mid]]'); + if (data.toMid) { + if (!utils.isNumber(data.toMid)) { + throw new Error('[[error:invalid-mid]]'); + } + if (!await Messaging.canViewMessage(data.toMid, roomId, uid)) { + throw new Error('[[error:no-privileges]]'); + } } const mid = await db.incrObjectField('global', 'nextMid'); const timestamp = data.timestamp || Date.now(); diff --git a/src/messaging/data.js b/src/messaging/data.js index e6466f579c..20568cc3f7 100644 --- a/src/messaging/data.js +++ b/src/messaging/data.js @@ -132,6 +132,9 @@ module.exports = function (Messaging) { return; } parentMids = _.uniq(parentMids); + const canView = await Messaging.canViewMessage(parentMids, roomId, uid); + parentMids = parentMids.filter((mid, idx) => canView[idx]); + const parentMessages = await Messaging.getMessagesFields(parentMids, [ 'fromuid', 'content', 'timestamp', 'deleted', ]); diff --git a/test/messaging.js b/test/messaging.js index 395d0f8764..53ae9eb67c 100644 --- a/test/messaging.js +++ b/test/messaging.js @@ -1,7 +1,6 @@ 'use strict'; const assert = require('assert'); -const async = require('async'); const request = require('request-promise-native'); const nconf = require('nconf'); const util = require('util'); @@ -369,7 +368,6 @@ describe('Messaging Library', () => { }); it('should fail to send second message due to rate limit', async () => { - const socketMock = { uid: mocks.users.foo.uid }; const oldValue = meta.config.chatMessageDelay; meta.config.chatMessageDelay = 1000; @@ -572,6 +570,55 @@ describe('Messaging Library', () => { }); }); + describe('toMid', () => { + let roomId; + let firstMid; + before(async () => { + // create room + const { body } = await callv3API('post', `/chats`, { + uids: [mocks.users.bar.uid], + }, 'foo'); + roomId = body.response.roomId; + // send message + const result = await callv3API('post', `/chats/${roomId}`, { + roomId: roomId, + message: 'first chat message', + }, 'foo'); + + firstMid = result.body.response.mid; + }); + + it('should fail if toMid is not a number', async () => { + const result = await callv3API('post', `/chats/${roomId}`, { + roomId: roomId, + message: 'invalid', + toMid: 'osmaosd', + }, 'foo'); + assert.strictEqual(result.body.status.message, 'Invalid Chat Message ID'); + }); + + it('should reply to firstMid using toMid', async () => { + const { body } = await callv3API('post', `/chats/${roomId}`, { + roomId: roomId, + message: 'invalid', + toMid: firstMid, + }, 'bar'); + assert(body.response.mid); + }); + + it('should fail if user can not view toMid', async () => { + // add new user + await callv3API('post', `/chats/${roomId}/users`, { uids: [mocks.users.herp.uid] }, 'foo'); + // try to reply to firstMid that this user cant see + const { body } = await callv3API('post', `/chats/${roomId}`, { + roomId: roomId, + message: 'invalid', + toMid: firstMid, + }, 'herp'); + assert.strictEqual(body.status.message, 'You do not have enough privileges for this action.'); + }); + }); + describe('edit/delete', () => { const socketModules = require('../src/socket.io/modules'); let mid;