do not pass historical author data to read only users

pull/1921/head
John McLear 2013-10-06 15:15:43 +01:00
parent eb611e2b36
commit b32aaaeb1b
1 changed files with 6 additions and 0 deletions

View File

@ -1013,9 +1013,15 @@ function handleClientReady(client, message)
var apool = attribsForWire.pool.toJsonable();
atext.attribs = attribsForWire.translated;
// Warning: never ever send padIds.padId to the client. If the
// client is read only you would open a security hole 1 swedish
// mile wide...
// Heh, turns out we already did when we sent historicalAuthorData so
// if it's a readonly pad request don't send the pad IDs of the author
if(sessioninfos[client.id].readonly) historicalAuthorData = {};
var clientVars = {
"accountPrivs": {
"maxRevisions": 100