Validate all 'author' attribs of incoming changesets to be the same value as the current user's authorId

2013-03-13 22:23:35 +01:00 · 2013-03-13 22:23:35 +01:00 · c30b0b72b8
parent acb4b4ebaf
commit c30b0b72b8
1 changed files with 6 additions and 1 deletions
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@ -550,11 +550,16 @@ function handleUserChanges(client, message)
            throw "Attribute pool is missing attribute "+n+" for changeset "+changeset;
          }
        });
+
+        // Validate all 'author' attribs to be the same value as the current user
+        wireApool.eachAttrib(function(type, value) {
+          if('author' == type && value != thisSession.author) throw "Trying to submit changes as another author"
+        })
      }
      catch(e)
      {
        // There is an error in this changeset, so just refuse it
-        console.warn("Can't apply USER_CHANGES "+changeset+", because it failed checkRep");
+        console.warn("Can't apply USER_CHANGES "+changeset+", because: "+e);
        client.json.send({disconnect:"badChangeset"});
        return;
      }