hiro/Vulcan
1
0
Fork 0
mirror of https://github.com/vale981/Vulcan synced 2025-03-06 10:01:40 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Check that people setting post.userId are actually admins before we set it

Browse source
This commit is contained in:
Josh Owens 2013-11-05 18:46:25 -05:00
parent 4bb605a965
commit dde7f6ea9d
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
collections/posts.js
View file

@ -24,7 +24,7 @@ Meteor.methods({
var headline = cleanUp(post.headline),
body = cleanUp(post.body),
user = Meteor.user(),
userId = post.userId || user._id,
userId = user._id,
submitted = parseInt(post.submitted) || new Date().getTime(),
defaultStatus = getSetting('requirePostsApproval') ? STATUS_PENDING : STATUS_APPROVED,
status = post.status || defaultStatus,
@ -34,7 +34,10 @@ Meteor.methods({
postInterval = Math.abs(parseInt(getSetting('postInterval', 30))),
maxPostsPer24Hours = Math.abs(parseInt(getSetting('maxPostsPerDay', 30))),
postId = '';
if(isAdmin(Meteor.user()) {
userId = post.userId || user._id // Don't trust HTML from the users, they are bad
}
// check that user can post
if (!user || !canPost(user))
throw new Meteor.Error(601, 'You need to login or be invited to post new stories.');