paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 21:43:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

poll widget: Prevent question updates from non-authors.

Browse Source 
We now ignore question edits if the sender of the submessage
is not the message author.

The webapp UI prevents folks from editing the question for
somebody else's poll, but a determined person could use our
low level API to do it.  We will add safeguards on the server
side for this, but this change is sufficient to protect the
webapp (and mobile when they upgrade the library).
This commit is contained in:
Steve Howell
2021-06-13 12:46:31 +00:00
committed by Tim Abbott
parent b62d71cf23
commit 5f73164210
3 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
static/js/poll_widget.js
View File

@@ -15,6 +15,7 @@ export function activate({
}) {
const is_my_poll = people.is_my_user_id(message.sender_id);
const poll_data = new PollData({
message_sender_id: message.sender_id,
current_user_id: people.my_current_user_id(),
is_my_poll,
question,