From acc9aedd6d15d26d12de0525e560969993174f09 Mon Sep 17 00:00:00 2001
From: Sacha Greif <sacha357@gmail.com>
Date: Thu, 12 Feb 2015 08:24:41 +0900
Subject: [PATCH] fix security issue with posts editing

---
 History.md           |  1 +
 collections/posts.js | 24 ++++++++++++++++++++----
 i18n/en.i18n.json    |  3 ++-
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/History.md b/History.md
index 7a8f3212d..918b7fe8e 100644
--- a/History.md
+++ b/History.md
@@ -12,6 +12,7 @@
 * You can now assign a category to posts generated from feeds (thanks @Accentax!).
 * Use tagline as title on homepage.
 * Refactor default view route controller code. 
+* Fixed security issue with post editing.
 
 ## v0.14.0 “GridScope”
 
diff --git a/collections/posts.js b/collections/posts.js
index 27d0a26a5..2866e79a9 100644
--- a/collections/posts.js
+++ b/collections/posts.js
@@ -429,13 +429,13 @@ Meteor.methods({
     // userId
     // sticky (default to false)
 
-    // if user is not admin, go over each schema property and clear it if it's not editable
+    // if user is not admin, go over each schema property and throw an error if it's not editable
     if (!hasAdminRights) {
       _.keys(post).forEach(function (propertyName) {
         var property = postSchemaObject[propertyName];
         if (!property || !property.autoform || !property.autoform.editable) {
-          console.log("// Disallowed property detected: "+propertyName+" (nice try!)");
-          delete post[propertyName]
+          console.log('//' + i18n.t('disallowed_property_detected') + ": " + propertyName);
+          throw new Meteor.Error("disallowed_property", i18n.t('disallowed_property_detected') + ": " + propertyName);
         }
       });
     }
@@ -455,7 +455,8 @@ Meteor.methods({
 
   editPost: function (post, modifier, postId) {
 
-    var user = Meteor.user();
+    var user = Meteor.user(),
+        hasAdminRights = isAdmin(user);
 
     // ------------------------------ Checks ------------------------------ //
 
@@ -463,6 +464,21 @@ Meteor.methods({
     if (!user || !can.edit(user, Posts.findOne(postId)))
       throw new Meteor.Error(601, i18n.t('sorry_you_cannot_edit_this_post'));
 
+    // if user is not admin, go over each schema property and throw an error if it's not editable
+    if (!hasAdminRights) {
+      // loop over each operation ($set, $unset, etc.)
+      _.each(modifier, function (operation) {
+        // loop over each property being operated on
+        _.keys(operation).forEach(function (propertyName) {
+          var property = postSchemaObject[propertyName];
+          if (!property || !property.autoform || !property.autoform.editable) {
+            console.log('//' + i18n.t('disallowed_property_detected') + ": " + propertyName);
+            throw new Meteor.Error("disallowed_property", i18n.t('disallowed_property_detected') + ": " + propertyName);
+          }
+        });
+      });
+    }
+
     // ------------------------------ Callbacks ------------------------------ //
 
     // run all post submit server callbacks on modifier successively
diff --git a/i18n/en.i18n.json b/i18n/en.i18n.json
index 4fbb6ea70..e187ffbae 100644
--- a/i18n/en.i18n.json
+++ b/i18n/en.i18n.json
@@ -113,7 +113,8 @@
   "sorry_you_do_not_have_the_rights_to_comments": "Sorry, you do not have the rights to leave comments at this time.",
   "not_found": "Not Found!",
   "were_sorry_whatever_you_were_looking_for_isnt_here": "We're sorry; whatever you were looking for isn't here..",
-
+  "disallowed_property_detected": "Disallowed property detected",
+  
   //Notifications
   "no_notifications": "No notifications",
   "1_notification": "1 notification",