Validate all 'author' attribs of incoming changesets to be the same value as the current user's authorId

author: Marcel Klehr <mklehr@gmx.net> 2013-03-13 22:23:35 +0100
committer: Marcel Klehr <mklehr@gmx.net> 2013-03-13 22:23:35 +0100
commit: c30b0b72b85b3adc5fb00c5d082ab05c3d2c1efc (patch)
tree: f46af4ef224aa128056f299b269327805902aefb
parent: acb4b4ebafd366c85662cf5de2a9b15df7eb170b (diff)
download: etherpad-lite-c30b0b72b85b3adc5fb00c5d082ab05c3d2c1efc.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js
index c046f130..35f1ab4c 100644
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@@ -550,11 +550,16 @@ function handleUserChanges(client, message)
             throw "Attribute pool is missing attribute "+n+" for changeset "+changeset;
           }
         });
+
+        // Validate all 'author' attribs to be the same value as the current user
+        wireApool.eachAttrib(function(type, value) {
+          if('author' == type && value != thisSession.author) throw "Trying to submit changes as another author"
+        })
       }
       catch(e)
       {
         // There is an error in this changeset, so just refuse it
-        console.warn("Can't apply USER_CHANGES "+changeset+", because it failed checkRep");
+        console.warn("Can't apply USER_CHANGES "+changeset+", because: "+e);
         client.json.send({disconnect:"badChangeset"});
         return;
       }
author	Marcel Klehr <mklehr@gmx.net>	2013-03-13 22:23:35 +0100
committer	Marcel Klehr <mklehr@gmx.net>	2013-03-13 22:23:35 +0100
commit	c30b0b72b85b3adc5fb00c5d082ab05c3d2c1efc (patch)
tree	f46af4ef224aa128056f299b269327805902aefb
parent	acb4b4ebafd366c85662cf5de2a9b15df7eb170b (diff)
download	etherpad-lite-c30b0b72b85b3adc5fb00c5d082ab05c3d2c1efc.zip