[Security] Fix events being editable by other users that organizers

Closes #385 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2020-10-09 18:12:35 +02:00
parent 24238da393
commit c296381ed6
4 changed files with 94 additions and 13 deletions
--- a/js/src/types/event.model.ts
+++ b/js/src/types/event.model.ts
@@ -275,7 +275,7 @@ export class EventModel implements IEvent {

    this.title = hash.title;
    this.slug = hash.slug;
-    this.description = hash.description;
+    this.description = hash.description || "";

    this.beginsOn = new Date(hash.beginsOn);
    if (hash.endsOn) this.endsOn = new Date(hash.endsOn);
--- a/js/src/views/Event/Edit.vue
+++ b/js/src/views/Event/Edit.vue
@@ -1,6 +1,6 @@
 <template>
  <section>
-    <div class="container">
+    <div class="container" v-if="isCurrentActorOrganizer">
      <h1 class="title" v-if="isUpdate === true">
        {{ $t("Update event {name}", { name: event.title }) }}
      </h1>
@@ -255,6 +255,7 @@
      aria-label="main navigation"
      class="navbar"
      :class="{ 'is-fixed-bottom': showFixedNavbar }"
+      v-if="isCurrentActorOrganizer"
    >
      <div class="container">
        <div class="navbar-menu">
@@ -511,6 +512,8 @@ export default class EditEvent extends Vue {
    this.limitedPlaces = this.event.options.maximumAttendeeCapacity > 0;
    if (!(this.isUpdate || this.isDuplicate)) {
      this.initializeEvent();
+    } else {
+      this.event.description = this.event.description || "";
    }
  }

@@ -533,11 +536,6 @@ export default class EditEvent extends Vue {
    }
  }

-  @Watch("currentActor")
-  setCurrentActor(): void {
-    this.event.organizerActor = this.currentActor;
-  }
-
  @Watch("event")
  setInitialData(): void {
    if (this.isUpdate && this.unmodifiedEvent === undefined && this.event && this.event.uuid) {
@@ -620,6 +618,14 @@ export default class EditEvent extends Vue {
    }
  }

+  get isCurrentActorOrganizer(): boolean {
+    return !(
+      this.eventId &&
+      this.event.organizerActor &&
+      this.currentActor.id !== this.event.organizerActor.id
+    ) as boolean;
+  }
+
  get updateEventMessage(): string {
    if (this.unmodifiedEvent.draft && !this.event.draft)
      return this.$i18n.t("The event has been updated and published") as string;
@@ -720,6 +726,10 @@ export default class EditEvent extends Vue {
   * Build variables for Event GraphQL creation query
   */
  private async buildVariables() {
+    this.event.organizerActor =
+      this.event.organizerActor && this.event.organizerActor.id
+        ? this.event.organizerActor
+        : this.currentActor;
    let res = this.event.toEditJSON();
    if (this.event.organizerActor) {
      res = Object.assign(res, {