fix(chat): validate group membership, by @phillipthelen

2025-12-17 22:57:21 +01:00 · 2024-06-11 13:14:47 -05:00
parent 758b6138c2
commit 5719e5e996
6 changed files with 68 additions and 2 deletions
--- a/website/server/controllers/api-v3/auth.js
+++ b/website/server/controllers/api-v3/auth.js
@@ -432,6 +432,7 @@ api.updateEmail = {
    }

    user.auth.local.email = req.body.newEmail.toLowerCase();
+    user.auth.local.passwordResetCode = undefined;
    await user.save();

    return res.respond(200, { email: user.auth.local.email });
--- a/website/server/controllers/api-v3/chat.js
+++ b/website/server/controllers/api-v3/chat.js
@@ -295,7 +295,7 @@ api.likeChat = {
    const group = await Group.getGroup({ user, groupId });
    if (!group) throw new NotFound(res.t('groupNotFound'));

-    const message = await Chat.findOne({ _id: req.params.chatId }).exec();
+    const message = await Chat.findOne({ _id: req.params.chatId, groupId: group._id }).exec();
    if (!message) throw new NotFound(res.t('messageGroupChatNotFound'));
    if (!message.likes) message.likes = {};