fix security issue with posts editing

History.md

@@ -12,6 +12,7 @@
 * You can now assign a category to posts generated from feeds (thanks @Accentax!).
 * Use tagline as title on homepage.
 * Refactor default view route controller code. 
+* Fixed security issue with post editing.
 
 ## v0.14.0 “GridScope”
 

collections/posts.js

@@ -429,13 +429,13 @@ Meteor.methods({
     // userId
     // sticky (default to false)
 
-    // if user is not admin, go over each schema property and clear it if it's not editable
+    // if user is not admin, go over each schema property and throw an error if it's not editable
     if (!hasAdminRights) {
       _.keys(post).forEach(function (propertyName) {
         var property = postSchemaObject[propertyName];
         if (!property || !property.autoform || !property.autoform.editable) {
-          console.log("// Disallowed property detected: "+propertyName+" (nice try!)");
-          delete post[propertyName]
+          console.log('//' + i18n.t('disallowed_property_detected') + ": " + propertyName);
+          throw new Meteor.Error("disallowed_property", i18n.t('disallowed_property_detected') + ": " + propertyName);
         }
       });
     }
@@ -455,7 +455,8 @@ Meteor.methods({
 
   editPost: function (post, modifier, postId) {
 
-    var user = Meteor.user();
+    var user = Meteor.user(),
+        hasAdminRights = isAdmin(user);
 
     // ------------------------------ Checks ------------------------------ //
 
@@ -463,6 +464,21 @@ Meteor.methods({
     if (!user || !can.edit(user, Posts.findOne(postId)))
       throw new Meteor.Error(601, i18n.t('sorry_you_cannot_edit_this_post'));
 
+    // if user is not admin, go over each schema property and throw an error if it's not editable
+    if (!hasAdminRights) {
+      // loop over each operation ($set, $unset, etc.)
+      _.each(modifier, function (operation) {
+        // loop over each property being operated on
+        _.keys(operation).forEach(function (propertyName) {
+          var property = postSchemaObject[propertyName];
+          if (!property || !property.autoform || !property.autoform.editable) {
+            console.log('//' + i18n.t('disallowed_property_detected') + ": " + propertyName);
+            throw new Meteor.Error("disallowed_property", i18n.t('disallowed_property_detected') + ": " + propertyName);
+          }
+        });
+      });
+    }
+
     // ------------------------------ Callbacks ------------------------------ //
 
     // run all post submit server callbacks on modifier successively

i18n/en.i18n.json

@@ -113,7 +113,8 @@
   "sorry_you_do_not_have_the_rights_to_comments": "Sorry, you do not have the rights to leave comments at this time.",
   "not_found": "Not Found!",
   "were_sorry_whatever_you_were_looking_for_isnt_here": "We're sorry; whatever you were looking for isn't here..",
-
+  "disallowed_property_detected": "Disallowed property detected",
+  
   //Notifications
   "no_notifications": "No notifications",
   "1_notification": "1 notification",