public-offering
/
pad.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

do not pass historical author data to read only users

pull/1921/head
John McLear 2013-10-06 15:15:43 +01:00
parent eb611e2b36
commit b32aaaeb1b
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/node/handler/PadMessageHandler.js
View File

@ -1013,9 +1013,15 @@ function handleClientReady(client, message)
var apool = attribsForWire.pool.toJsonable(); var apool = attribsForWire.pool.toJsonable();
atext.attribs = attribsForWire.translated; atext.attribs = attribsForWire.translated;
// Warning: never ever send padIds.padId to the client. If the // Warning: never ever send padIds.padId to the client. If the
// client is read only you would open a security hole 1 swedish // client is read only you would open a security hole 1 swedish
// mile wide... // mile wide...
// Heh, turns out we already did when we sent historicalAuthorData so
// if it's a readonly pad request don't send the pad IDs of the author
if(sessioninfos[client.id].readonly) historicalAuthorData = {};
var clientVars = { var clientVars = {
"accountPrivs": { "accountPrivs": {
"maxRevisions": 100 "maxRevisions": 100