From 3e8f3cd938995a75e5146a149bf339dd5603416f Mon Sep 17 00:00:00 2001 From: John McLear Date: Tue, 18 Nov 2014 14:56:40 +0000 Subject: [PATCH] hrm I dont trust this security --- src/node/hooks/express/adminplugins.js | 5 +++-- src/node/hooks/express/adminsettings.js | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/node/hooks/express/adminplugins.js b/src/node/hooks/express/adminplugins.js index b348c0233..ccc100dcc 100644 --- a/src/node/hooks/express/adminplugins.js +++ b/src/node/hooks/express/adminplugins.js @@ -24,8 +24,9 @@ exports.expressCreateServer = function (hook_name, args, cb) { exports.socketio = function (hook_name, args, cb) { var io = args.io.of("/pluginfw/installer"); io.on('connection', function (socket) { - console.warn("THIS IS BROKEN", socket.handshake); - if (!socket.handshake.session || !socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; + + console.warn ("The middleware now handles auth but I'm not convinced SocketIO is being responsible enough here so this needs reviewing before hitting master"); + // if (!socket.handshake.session || !socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; socket.on("getInstalled", function (query) { // send currently installed plugins diff --git a/src/node/hooks/express/adminsettings.js b/src/node/hooks/express/adminsettings.js index ba3009cd9..3529e2059 100644 --- a/src/node/hooks/express/adminsettings.js +++ b/src/node/hooks/express/adminsettings.js @@ -22,9 +22,9 @@ exports.expressCreateServer = function (hook_name, args, cb) { exports.socketio = function (hook_name, args, cb) { var io = args.io.of("/settings"); io.on('connection', function (socket) { - console.warn ("THIS IS BROKEN"); - if (!socket.handshake.session || !socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; + console.warn ("The middleware now handles auth but I'm not convinced SocketIO is being responsible enough here so this needs reviewing before hitting master"); + // if (!socket.handshake.session || !socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; socket.on("load", function (query) { fs.readFile('settings.json', 'utf8', function (err,data) {