specter/CyTube
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Fix another instance where #335 could be exposed

Browse source
This commit is contained in:
calzoneman 2014-03-20 09:18:54 -05:00
parent a6434ec47f
commit 7134de4de5
1 changed files with 11 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
lib/channel.js
View file

@ -1542,7 +1542,7 @@ Channel.prototype.handleQueue = function (user, data) {
if (data.pos === "next" && !this.hasPermission(user, "playlistnext")) {
return;
}
var pos = data.pos || "end";
var pos = data.pos;
// Verify user has permission to add a YouTube playlist, if relevant
if (data.type === "yp" && !this.hasPermission(user, "playlistaddlist")) {
@ -1822,10 +1822,19 @@ Channel.prototype.handleQueuePlaylist = function (user, data) {
}
var name = data.name;
/* Kick for this because there's no legitimate way to do this with the
UI. Can only be accomplished by manually sending a packet and people
abuse it to bypass the addnext permission
*/
if (data.pos !== "next" && data.pos !== "end") {
user.kick("Illegal queue packet: pos must be 'next' or 'end'");
return;
}
if (data.pos === "next" && !self.hasPermission(user, "playlistnext")) {
return;
}
var pos = data.pos || "end";
var pos = data.pos;
var temp = data.temp || !self.hasPermission(user, "addnontemp");