mirror of
https://github.com/spacebarchat/server.git
synced 2024-11-06 10:52:31 +01:00
Merge pull request #734 from MaddyUnderStars/fix/sanitisation
Fix users arbitrarily editing their own User object, and disallow sending messages to certain channels ( eg categories )
This commit is contained in:
commit
3491d01dca
20626
api/assets/schemas.json
20626
api/assets/schemas.json
File diff suppressed because it is too large
Load Diff
@ -31,7 +31,6 @@ const Excluded = [
|
|||||||
];
|
];
|
||||||
|
|
||||||
function modify(obj) {
|
function modify(obj) {
|
||||||
delete obj.additionalProperties;
|
|
||||||
for (var k in obj) {
|
for (var k in obj) {
|
||||||
if (typeof obj[k] === "object" && obj[k] !== null) {
|
if (typeof obj[k] === "object" && obj[k] !== null) {
|
||||||
modify(obj[k]);
|
modify(obj[k]);
|
||||||
|
@ -183,6 +183,9 @@ router.post(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
const channel = await Channel.findOneOrFail({ where: { id: channel_id }, relations: ["recipients", "recipients.user"] });
|
const channel = await Channel.findOneOrFail({ where: { id: channel_id }, relations: ["recipients", "recipients.user"] });
|
||||||
|
if (!channel.isWritable()) {
|
||||||
|
throw new HTTPError(`Cannot send messages to channel of type ${channel.type}`, 400)
|
||||||
|
}
|
||||||
|
|
||||||
const embeds = body.embeds || [];
|
const embeds = body.embeds || [];
|
||||||
if (body.embed) embeds.push(body.embed);
|
if (body.embed) embeds.push(body.embed);
|
||||||
@ -220,6 +223,8 @@ router.post(
|
|||||||
})
|
})
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
//Fix for the client bug
|
//Fix for the client bug
|
||||||
delete message.member
|
delete message.member
|
||||||
|
@ -46,8 +46,6 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
user.assign(body);
|
|
||||||
|
|
||||||
if (body.new_password) {
|
if (body.new_password) {
|
||||||
if (!body.password && !user.email) {
|
if (!body.password && !user.email) {
|
||||||
throw FieldErrors({
|
throw FieldErrors({
|
||||||
@ -66,6 +64,7 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
user.assign(body);
|
||||||
await user.save();
|
await user.save();
|
||||||
|
|
||||||
// @ts-ignore
|
// @ts-ignore
|
||||||
|
@ -352,6 +352,17 @@ export class Channel extends BaseClass {
|
|||||||
isDm() {
|
isDm() {
|
||||||
return this.type === ChannelType.DM || this.type === ChannelType.GROUP_DM;
|
return this.type === ChannelType.DM || this.type === ChannelType.GROUP_DM;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Does the channel support sending messages ( eg categories do not )
|
||||||
|
isWritable() {
|
||||||
|
const disallowedChannelTypes = [
|
||||||
|
ChannelType.GUILD_CATEGORY,
|
||||||
|
ChannelType.GUILD_VOICE, // TODO: Remove this when clients can send messages to voice channels on discord.com
|
||||||
|
ChannelType.GUILD_STAGE_VOICE,
|
||||||
|
ChannelType.VOICELESS_WHITEBOARD,
|
||||||
|
];
|
||||||
|
return disallowedChannelTypes.indexOf(this.type) == -1;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
export interface ChannelPermissionOverwrite {
|
export interface ChannelPermissionOverwrite {
|
||||||
|
Loading…
Reference in New Issue
Block a user