From edcba61aa954f6cdda7bb43d8c8b5abcb8368db0 Mon Sep 17 00:00:00 2001 From: Mats Date: Tue, 1 Jun 2021 13:36:35 +0200 Subject: [PATCH] fix: disallow editing of other users' notes Feel free to close this if it is intentional, but as you are not allowed to delete other users notes I expect you shouldn't be able to edit them. Editing another users post also changes ownership, allowing you to then delete it. I also added `error:` to the errormessage so that they display properly. --- src/socket.io/flags.js | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/socket.io/flags.js b/src/socket.io/flags.js index c63d3511a0..33bcc7ea32 100644 --- a/src/socket.io/flags.js +++ b/src/socket.io/flags.js @@ -51,8 +51,16 @@ SocketFlags.appendNote = async function (socket, data) { const allowed = await user.isPrivileged(socket.uid); if (!allowed) { - throw new Error('[[no-privileges]]'); + throw new Error('[[error:no-privileges]]'); } + + if (data.datetime && data.flagId) { + const note = await flags.getNote(data.flagId, data.datetime); + if (note.uid !== socket.uid) { + throw new Error('[[error:no-privileges]]')); + } + } + await flags.appendNote(data.flagId, socket.uid, data.note, data.datetime); const [notes, history] = await Promise.all([