mirrors/dendrite
1
0
Fork 0
mirror of https://github.com/matrix-org/dendrite.git synced 2025-12-12 09:23:09 -06:00
Code Issues Packages Projects Releases Wiki Activity

Forbid update of someone else's profile

Browse source
This commit is contained in:
Brendan Abolivier 2017-07-21 18:14:51 +01:00
parent fa713e6876
commit 2e3c166f89
2 changed files with 20 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
src/github.com/matrix-org/dendrite/clientapi/readers/profile.go
View file

@ -98,10 +98,17 @@ func GetAvatarURL(
// SetAvatarURL implements PUT /profile/{userID}/avatar_url // SetAvatarURL implements PUT /profile/{userID}/avatar_url
func SetAvatarURL( func SetAvatarURL(
req *http.Request, accountDB *accounts.Database, userID string, req *http.Request, accountDB *accounts.Database, device *authtypes.Device,
producer *producers.UserUpdateProducer, cfg *config.Dendrite, userID string, producer *producers.UserUpdateProducer, cfg *config.Dendrite,
rsProducer *producers.RoomserverProducer, queryAPI api.RoomserverQueryAPI, rsProducer *producers.RoomserverProducer, queryAPI api.RoomserverQueryAPI,
) util.JSONResponse { ) util.JSONResponse {
if userID != device.UserID {
return util.JSONResponse{
Code: 403,
JSON: jsonerror.Forbidden("userID does not match the current user"),
}
}
changedKey := "avatar_url" changedKey := "avatar_url"
var r avatarURL var r avatarURL
@ -183,10 +190,17 @@ func GetDisplayName(
// SetDisplayName implements PUT /profile/{userID}/displayname // SetDisplayName implements PUT /profile/{userID}/displayname
func SetDisplayName( func SetDisplayName(
req *http.Request, accountDB *accounts.Database, userID string, req *http.Request, accountDB *accounts.Database, device *authtypes.Device,
producer *producers.UserUpdateProducer, cfg *config.Dendrite, userID string, producer *producers.UserUpdateProducer, cfg *config.Dendrite,
rsProducer *producers.RoomserverProducer, queryAPI api.RoomserverQueryAPI, rsProducer *producers.RoomserverProducer, queryAPI api.RoomserverQueryAPI,
) util.JSONResponse { ) util.JSONResponse {
if userID != device.UserID {
return util.JSONResponse{
Code: 403,
JSON: jsonerror.Forbidden("userID does not match the current user"),
}
}
changedKey := "displayname" changedKey := "displayname"
var r displayName var r displayName

4
src/github.com/matrix-org/dendrite/clientapi/routing/routing.go
View file

@ -185,7 +185,7 @@ func Setup(
r0mux.Handle("/profile/{userID}/avatar_url", r0mux.Handle("/profile/{userID}/avatar_url",
common.MakeAuthAPI("profile_avatar_url", deviceDB, func(req *http.Request, device *authtypes.Device) util.JSONResponse { common.MakeAuthAPI("profile_avatar_url", deviceDB, func(req *http.Request, device *authtypes.Device) util.JSONResponse {
vars := mux.Vars(req) vars := mux.Vars(req)
return readers.SetAvatarURL(req, accountDB, vars["userID"], userUpdateProducer, &cfg, producer, queryAPI) return readers.SetAvatarURL(req, accountDB, device, vars["userID"], userUpdateProducer, &cfg, producer, queryAPI)
}), }),
).Methods("PUT", "OPTIONS") ).Methods("PUT", "OPTIONS")
// Browsers use the OPTIONS HTTP method to check if the CORS policy allows // Browsers use the OPTIONS HTTP method to check if the CORS policy allows
@ -201,7 +201,7 @@ func Setup(
r0mux.Handle("/profile/{userID}/displayname", r0mux.Handle("/profile/{userID}/displayname",
common.MakeAuthAPI("profile_displayname", deviceDB, func(req *http.Request, device *authtypes.Device) util.JSONResponse { common.MakeAuthAPI("profile_displayname", deviceDB, func(req *http.Request, device *authtypes.Device) util.JSONResponse {
vars := mux.Vars(req) vars := mux.Vars(req)
return readers.SetDisplayName(req, accountDB, vars["userID"], userUpdateProducer, &cfg, producer, queryAPI) return readers.SetDisplayName(req, accountDB, device, vars["userID"], userUpdateProducer, &cfg, producer, queryAPI)
}), }),
).Methods("PUT", "OPTIONS") ).Methods("PUT", "OPTIONS")
// Browsers use the OPTIONS HTTP method to check if the CORS policy allows // Browsers use the OPTIONS HTTP method to check if the CORS policy allows