From d411e4e409b84541fd3536edb9bf5b5a23543648 Mon Sep 17 00:00:00 2001 From: Niharika Khanna Date: Wed, 16 Aug 2017 21:44:37 +0530 Subject: [PATCH] add authorization check on set-title --- server/src/server.js | 2 +- server/src/servershot.js | 11 +++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/server/src/server.js b/server/src/server.js index db27283612..15c9e7b00a 100644 --- a/server/src/server.js +++ b/server/src/server.js @@ -696,7 +696,7 @@ app.post("/api/set-title/:id/:domain", csrfProtection, function(req, res) { simpleResponse(res, "Not logged in", 401); return; } - Shot.get(req.backend, shotId).then((shot) => { + Shot.get(req.backend, shotId, req.deviceId, req.accountId).then((shot) => { if (!shot) { simpleResponse(res, "No such shot", 404); return; diff --git a/server/src/servershot.js b/server/src/servershot.js index feffb1efe9..7d55d1c783 100644 --- a/server/src/servershot.js +++ b/server/src/servershot.js @@ -369,8 +369,8 @@ class ServerClip extends AbstractShot.prototype.Clip { Shot.prototype.Clip = ServerClip; -Shot.get = function(backend, id, deviceId) { - return Shot.getRawValue(id, deviceId).then((rawValue) => { +Shot.get = function(backend, id, deviceId, accountId) { + return Shot.getRawValue(id, deviceId, accountId).then((rawValue) => { if (!rawValue) { return null; } @@ -409,14 +409,17 @@ Shot.getFullShot = function(backend, id) { }); }; -Shot.getRawValue = function(id, deviceId) { +Shot.getRawValue = function(id, deviceId, accountId) { if (!id) { throw new Error("Empty id: " + id); } let query = `SELECT value, deviceid, url, title, expire_time, deleted, block_type, devices.accountid FROM data, devices WHERE data.deviceid = devices.id AND data.id = $1`; let params = [id]; - if (deviceId) { + if (accountId) { + query += ` AND devices.accountid = $2` + params.push(accountId); + } else if (deviceId) { query += ` AND deviceid = $2`; params.push(deviceId); }