From 3ee65cd38e2d3bef114079e971f9a158e2a6d2b2 Mon Sep 17 00:00:00 2001 From: Wu Cheng-Han Date: Thu, 12 Jan 2017 23:45:51 +0800 Subject: Fix for limited and protected permissions should forbid guest in realtime events --- lib/realtime.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/realtime.js b/lib/realtime.js index 21390607..0f2a6680 100644 --- a/lib/realtime.js +++ b/lib/realtime.js @@ -374,7 +374,7 @@ function finishConnection(socket, note, user) { return interruptConnection(socket, note, user); } //check view permission - if (note.permission == 'private') { + if (note.permission == 'limited' || note.permission == 'protected' || note.permission == 'private') { if (socket.request.user && socket.request.user.logged_in && socket.request.user.id == note.owner) { //na } else { @@ -790,7 +790,7 @@ function connection(socket) { var sock = note.socks[i]; if (typeof sock !== 'undefined' && sock) { //check view permission - if (permission == 'private') { + if (permission == 'limited' || permission == 'protected' || permission == 'private') { if (sock.request.user && sock.request.user.logged_in && sock.request.user.id == note.owner) { //na } else { -- cgit v1.2.3