krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-15 05:37:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(chat): validate group membership, by @phillipthelen

Browse Source
This commit is contained in:
Sabe Jones
2024-06-11 13:14:47 -05:00
parent 758b6138c2
commit 5719e5e996
6 changed files with 68 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
test/api/v3/integration/chat/POST-chat.flag.test.js
View File

@@ -223,4 +223,23 @@ describe('POST /chat/:chatId/flag', () => {
expect(auMessageToCheck).to.not.exist; expect(auMessageToCheck).to.not.exist;
}); });
it('validates that the message belongs to the passed group', async () => {
const { group: anotherGroup, groupLeader: anotherLeader } = await createAndPopulateGroup({
groupDetails: {
name: 'Another Guild',
type: 'guild',
privacy: 'private',
},
upgradeToGroupPlan: true,
});
const message = await anotherUser.post(`/groups/${group._id}/chat`, { message: TEST_MESSAGE });
await expect(anotherLeader.post(`/groups/${anotherGroup._id}/chat/${message.message.id}/flag`))
.to.eventually.be.rejected.and.eql({
code: 404,
error: 'NotFound',
message: t('messageGroupChatNotFound'),
});
});
}); });

32
test/api/v3/integration/chat/POST-chat.like.test.js
View File

@@ -1,5 +1,6 @@
import { find } from 'lodash'; import { find } from 'lodash';
import { import {
generateUser,
createAndPopulateGroup, createAndPopulateGroup,
translate as t, translate as t,
} from '../../../../helpers/api-integration/v3'; } from '../../../../helpers/api-integration/v3';
@@ -79,4 +80,35 @@ describe('POST /chat/:chatId/like', () => {
const messageToCheck = find(groupWithoutChatLikes.chat, { id: message.message.id }); const messageToCheck = find(groupWithoutChatLikes.chat, { id: message.message.id });
expect(messageToCheck.likes[user._id]).to.equal(false); expect(messageToCheck.likes[user._id]).to.equal(false);
}); });
it('validates that the message belongs to the passed group', async () => {
const { group: anotherGroup, groupLeader: anotherLeader } = await createAndPopulateGroup({
groupDetails: {
name: 'Another Guild',
type: 'guild',
privacy: 'private',
},
upgradeToGroupPlan: true,
});
const message = await anotherUser.post(`/groups/${groupWithChat._id}/chat`, { message: testMessage });
await expect(anotherLeader.post(`/groups/${anotherGroup._id}/chat/${message.message.id}/like`))
.to.eventually.be.rejected.and.eql({
code: 404,
error: 'NotFound',
message: t('messageGroupChatNotFound'),
});
});
it('does not like a message if the user is not in the group', async () => {
const thirdUser = await generateUser();
const message = await user.post(`/groups/${groupWithChat._id}/chat`, { message: testMessage });
await expect(thirdUser.post(`/groups/${groupWithChat._id}/chat/${message.message.id}/like`))
.to.eventually.be.rejected.and.eql({
code: 404,
error: 'NotFound',
message: t('groupNotFound'),
});
});
}); });

14
test/api/v3/integration/user/auth/PUT-user_update_email.test.js
View File

@@ -108,6 +108,20 @@ describe('PUT /user/auth/update-email', () => {
const isValidPassword = await bcryptCompare(textPassword, user.auth.local.hashed_password); const isValidPassword = await bcryptCompare(textPassword, user.auth.local.hashed_password);
expect(isValidPassword).to.equal(true); expect(isValidPassword).to.equal(true);
}); });
it('invalidates any outstanding password reset code', async () => {
await user.updateOne({
'auth.local.passwordResetCode': 'impossible-reset-code',
});
await user.put(ENDPOINT, {
newEmail: 'bogo@example.com',
password: oldPassword,
});
await user.sync();
expect(user.auth.local.passwordResetCode).to.not.exist;
});
}); });
context('Social Login User', async () => { context('Social Login User', async () => {

1
website/server/controllers/api-v3/auth.js
View File

@@ -432,6 +432,7 @@ api.updateEmail = {
} }
user.auth.local.email = req.body.newEmail.toLowerCase(); user.auth.local.email = req.body.newEmail.toLowerCase();
user.auth.local.passwordResetCode = undefined;
await user.save(); await user.save();
return res.respond(200, { email: user.auth.local.email }); return res.respond(200, { email: user.auth.local.email });

2
website/server/controllers/api-v3/chat.js
View File

@@ -295,7 +295,7 @@ api.likeChat = {
const group = await Group.getGroup({ user, groupId }); const group = await Group.getGroup({ user, groupId });
if (!group) throw new NotFound(res.t('groupNotFound')); if (!group) throw new NotFound(res.t('groupNotFound'));
const message = await Chat.findOne({ _id: req.params.chatId }).exec(); const message = await Chat.findOne({ _id: req.params.chatId, groupId: group._id }).exec();
if (!message) throw new NotFound(res.t('messageGroupChatNotFound')); if (!message) throw new NotFound(res.t('messageGroupChatNotFound'));
if (!message.likes) message.likes = {}; if (!message.likes) message.likes = {};

2
website/server/libs/chatReporting/groupChatReporter.js
View File

@@ -36,7 +36,7 @@ export default class GroupChatReporter extends ChatReporter {
}); });
if (!group) throw new NotFound(this.res.t('groupNotFound')); if (!group) throw new NotFound(this.res.t('groupNotFound'));
const message = await Chat.findOne({ _id: this.req.params.chatId }).exec(); const message = await Chat.findOne({ _id: this.req.params.chatId, groupId: group._id }).exec();
if (!message) throw new NotFound(this.res.t('messageGroupChatNotFound')); if (!message) throw new NotFound(this.res.t('messageGroupChatNotFound'));
if (message.uuid === 'system') throw new BadRequest(this.res.t('messageCannotFlagSystemMessages', { communityManagerEmail: COMMUNITY_MANAGER_EMAIL })); if (message.uuid === 'system') throw new BadRequest(this.res.t('messageCannotFlagSystemMessages', { communityManagerEmail: COMMUNITY_MANAGER_EMAIL }));