poll widget: Prevent question updates from non-authors.

We now ignore question edits if the sender of the submessage is not the message author. The webapp UI prevents folks from editing the question for somebody else's poll, but a determined person could use our low level API to do it. We will add safeguards on the server side for this, but this change is sufficient to protect the webapp (and mobile when they upgrade the library).
2025-11-04 05:53:43 +00:00 · 2021-06-13 12:46:31 +00:00
parent b62d71cf23
commit 5f73164210
3 changed files with 41 additions and 0 deletions
--- a/frontend_tests/node_tests/poll_widget.js
+++ b/frontend_tests/node_tests/poll_widget.js
@@ -38,6 +38,7 @@ run_test("PollData my question", () => {

    const data_holder = new PollData({
        current_user_id: me.user_id,
+        message_sender_id: me.user_id,
        is_my_poll,
        question,
        options: [],
@@ -181,6 +182,35 @@ run_test("PollData my question", () => {
    });
 });

+run_test("wrong person editing question", () => {
+    const is_my_poll = true;
+    const question = "Favorite color?";
+
+    const data_holder = new PollData({
+        current_user_id: me.user_id,
+        message_sender_id: me.user_id,
+        is_my_poll,
+        question,
+        options: [],
+        comma_separated_names: people.get_full_names_for_poll_option,
+        report_error_function: blueslip.warn,
+    });
+
+    const question_event = {
+        type: "question",
+        question: "best plan?",
+    };
+
+    blueslip.expect("warn", "user 100 is not allowed to edit the question");
+
+    data_holder.handle_event(alice.user_id, question_event);
+
+    assert.deepEqual(data_holder.get_widget_data(), {
+        options: [],
+        question: "Favorite color?",
+    });
+});
+
 run_test("activate another person poll", (override) => {
    override(render_poll_widget, "f", () => "widgets/poll_widget");
    override(render_poll_widget_results, "f", () => "widgets/poll_widget_results");
--- a/static/js/poll_widget.js
+++ b/static/js/poll_widget.js
@@ -15,6 +15,7 @@ export function activate({
 }) {
    const is_my_poll = people.is_my_user_id(message.sender_id);
    const poll_data = new PollData({
+        message_sender_id: message.sender_id,
        current_user_id: people.my_current_user_id(),
        is_my_poll,
        question,
--- a/static/shared/js/poll_data.js
+++ b/static/shared/js/poll_data.js
@@ -8,6 +8,7 @@ export class PollData {
    my_idx = 1;

    constructor({
+        message_sender_id,
        current_user_id,
        is_my_poll,
        question,
@@ -15,6 +16,7 @@ export class PollData {
        comma_separated_names,
        report_error_function,
    }) {
+        this.message_sender_id = message_sender_id;
        this.me = current_user_id;
        this.is_my_poll = is_my_poll;
        this.poll_question = question;
@@ -124,6 +126,14 @@ export class PollData {
            },

            inbound: (sender_id, data) => {
+                // Only the message author can edit questions.
+                if (sender_id !== this.message_sender_id) {
+                    this.report_error_function(
+                        `user ${sender_id} is not allowed to edit the question`,
+                    );
+                    return;
+                }
+
                this.set_question(data.question);
            },
        },