add authorization check on set-title

mozilla-services · Aug 16, 2017 · d411e4e · d411e4e
1 parent d17285e
commit d411e4e
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/server/src/server.js b/server/src/server.js
@@ -696,7 +696,7 @@ app.post("/api/set-title/:id/:domain", csrfProtection, function(req, res) {
     simpleResponse(res, "Not logged in", 401);
     return;
   }
-  Shot.get(req.backend, shotId).then((shot) => {
+  Shot.get(req.backend, shotId, req.deviceId, req.accountId).then((shot) => {
     if (!shot) {
       simpleResponse(res, "No such shot", 404);
       return;

diff --git a/server/src/servershot.js b/server/src/servershot.js
@@ -369,8 +369,8 @@ class ServerClip extends AbstractShot.prototype.Clip {
 
 Shot.prototype.Clip = ServerClip;
 
-Shot.get = function(backend, id, deviceId) {
-  return Shot.getRawValue(id, deviceId).then((rawValue) => {
+Shot.get = function(backend, id, deviceId, accountId) {
+  return Shot.getRawValue(id, deviceId, accountId).then((rawValue) => {
     if (!rawValue) {
       return null;
     }
@@ -409,14 +409,17 @@ Shot.getFullShot = function(backend, id) {
   });
 };
 
-Shot.getRawValue = function(id, deviceId) {
+Shot.getRawValue = function(id, deviceId, accountId) {
   if (!id) {
     throw new Error("Empty id: " + id);
   }
   let query = `SELECT value, deviceid, url, title, expire_time, deleted, block_type, devices.accountid
   FROM data, devices WHERE data.deviceid = devices.id AND data.id = $1`;
   let params = [id];
-  if (deviceId) {
+  if (accountId) {
+    query += ` AND devices.accountid = $2`
+    params.push(accountId);
+  } else if (deviceId) {
     query += ` AND deviceid = $2`;
     params.push(deviceId);
   }