diff options
| author | John McLear <john@mclear.co.uk> | 2013-10-06 15:15:43 +0100 |
|---|---|---|
| committer | John McLear <john@mclear.co.uk> | 2013-10-06 15:15:43 +0100 |
| commit | b32aaaeb1b89d1b9dac095689fe9af44994fe95b (patch) | |
| tree | d83f520c0f36c4f805ebdcca1ef6a9f1b4d2a56c | |
| parent | eb611e2b36da83ca210d1eaa8a18c01a615a923e (diff) | |
| download | etherpad-lite-b32aaaeb1b89d1b9dac095689fe9af44994fe95b.zip | |
do not pass historical author data to read only users
| -rw-r--r-- | src/node/handler/PadMessageHandler.js | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js index a79d2410..82586425 100644 --- a/src/node/handler/PadMessageHandler.js +++ b/src/node/handler/PadMessageHandler.js @@ -1012,10 +1012,16 @@ function handleClientReady(client, message) var attribsForWire = Changeset.prepareForWire(atext.attribs, pad.pool); var apool = attribsForWire.pool.toJsonable(); atext.attribs = attribsForWire.translated; + + // Warning: never ever send padIds.padId to the client. If the // client is read only you would open a security hole 1 swedish // mile wide... + // Heh, turns out we already did when we sent historicalAuthorData so + // if it's a readonly pad request don't send the pad IDs of the author + if(sessioninfos[client.id].readonly) historicalAuthorData = {}; + var clientVars = { "accountPrivs": { "maxRevisions": 100 |