depau/HackMD
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fix for limited and protected permissions should forbid guest in realtime events

Browse source
This commit is contained in:
Wu Cheng-Han 2017-01-12 23:45:51 +08:00
parent 4851098477
commit 3ee65cd38e
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/realtime.js
View file

@ -374,7 +374,7 @@ function finishConnection(socket, note, user) {
return interruptConnection(socket, note, user); return interruptConnection(socket, note, user);
} }
//check view permission //check view permission
if (note.permission == 'private') { if (note.permission == 'limited' || note.permission == 'protected' || note.permission == 'private') {
if (socket.request.user && socket.request.user.logged_in && socket.request.user.id == note.owner) { if (socket.request.user && socket.request.user.logged_in && socket.request.user.id == note.owner) {
//na //na
} else { } else {
@ -790,7 +790,7 @@ function connection(socket) {
var sock = note.socks[i]; var sock = note.socks[i];
if (typeof sock !== 'undefined' && sock) { if (typeof sock !== 'undefined' && sock) {
//check view permission //check view permission
if (permission == 'private') { if (permission == 'limited' || permission == 'protected' || permission == 'private') {
if (sock.request.user && sock.request.user.logged_in && sock.request.user.id == note.owner) { if (sock.request.user && sock.request.user.logged_in && sock.request.user.id == note.owner) {
//na //na
} else { } else {