Skip to content

Commit

Permalink
Prevent set avatar
Browse files Browse the repository at this point in the history
  • Loading branch information
sampaiodiego committed Jan 28, 2020
1 parent 6d63fad commit be07e28
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions app/lib/server/functions/sendMessage.js
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ const validateUserIdentity = (message, _id) => {
if (!message.alias && !message.avatar) {
return;
}
const forbiddenPropsToChangeWhenUserIsNotABot = ['alias', 'avatar'];
const forbiddenPropsToChangeWhenUserIsNotABot = ['avatar'];
const user = Users.findOneById(_id, { fields: { roles: 1, name: 1 } });
/**
* If the query returns no user, the message has likely
Expand All @@ -160,7 +160,7 @@ const validateUserIdentity = (message, _id) => {
}
const userIsNotABot = !user.roles.includes('bot');
const messageContainsAnyForbiddenProp = Object.keys(message).some((key) => forbiddenPropsToChangeWhenUserIsNotABot.includes(key));
if (userIsNotABot && messageContainsAnyForbiddenProp && message.alias !== user.name) {
if (userIsNotABot && (messageContainsAnyForbiddenProp || (typeof message.alias !== 'undefined' && message.alias !== user.name))) {
throw new Error('You are not authorized to change message properties');
}
};
Expand Down

0 comments on commit be07e28

Please sign in to comment.