From 03e68f92ebe7051b209790eb27d30fce87c1bbc7 Mon Sep 17 00:00:00 2001
From: Cheng-Han, Wu
Date: Fri, 17 Jun 2016 16:29:45 +0800
Subject: Fix locked or private permission should block any operation if owner
 is null

---
 lib/realtime.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/realtime.js b/lib/realtime.js
index 0edf647c..b7a17d34 100644
--- a/lib/realtime.js
+++ b/lib/realtime.js
@@ -540,7 +540,7 @@ function ifMayEdit(socket, callback) {
             break;
         case "locked": case "private":
             //only owner can change
-            if (note.owner != socket.request.user.id)
+            if (!note.owner || note.owner != socket.request.user.id)
                 mayEdit = false;
             break;
     }
@@ -641,7 +641,7 @@ function connection(socket) {
             if (!noteId || !notes[noteId]) return;
             var note = notes[noteId];
             //Only owner can change permission
-            if (note.owner == socket.request.user.id) {
+            if (note.owner && note.owner == socket.request.user.id) {
                 note.permission = permission;
                 models.Note.update({
                     permission: permission
-- 
cgit v1.2.3