Oops, fix a security error in outfit saving
Uhhh I guess I never added the check that the outfit you're editing is your own? Embarrassing.
I don't have any reason to believe anyone abused this, but 😬! Good to have fixed now!
This commit is contained in:
parent
4b2d1f949b
commit
5dfd67a221
1 changed files with 13 additions and 0 deletions
|
|
@ -147,6 +147,7 @@ const resolvers = {
|
||||||
{
|
{
|
||||||
currentUserId,
|
currentUserId,
|
||||||
db,
|
db,
|
||||||
|
outfitLoader,
|
||||||
petTypeBySpeciesAndColorLoader,
|
petTypeBySpeciesAndColorLoader,
|
||||||
petStatesForPetTypeLoader,
|
petStatesForPetTypeLoader,
|
||||||
}
|
}
|
||||||
|
|
@ -157,6 +158,18 @@ const resolvers = {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (id) {
|
||||||
|
const outfit = await outfitLoader.load(id);
|
||||||
|
if (outfit == null) {
|
||||||
|
throw new Error(`outfit ${outfit.id} does not exist`);
|
||||||
|
}
|
||||||
|
if (outfit.userId !== currentUserId) {
|
||||||
|
throw new Error(
|
||||||
|
`user ${currentUserId} does not own outfit ${outfit.id}`
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Get the base name of the provided name: trim it, and strip any "(1)"
|
// Get the base name of the provided name: trim it, and strip any "(1)"
|
||||||
// suffixes.
|
// suffixes.
|
||||||
const baseName = (rawName || "Untitled outfit").replace(
|
const baseName = (rawName || "Untitled outfit").replace(
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue