server: ensure only own notifications can be marked as read
All checks were successful
ci/woodpecker/push/lint-backend Pipeline was successful
ci/woodpecker/push/build Pipeline was successful
ci/woodpecker/push/lint-client Pipeline was successful
ci/woodpecker/push/lint-foundkey-js Pipeline was successful
ci/woodpecker/push/test Pipeline was successful
All checks were successful
ci/woodpecker/push/lint-backend Pipeline was successful
ci/woodpecker/push/build Pipeline was successful
ci/woodpecker/push/lint-client Pipeline was successful
ci/woodpecker/push/lint-foundkey-js Pipeline was successful
ci/woodpecker/push/test Pipeline was successful
Exploiting this before should already have been rather difficult because you would need to know or guess the notification's ID. It is also of relatively low security impact. Changelog: Fixed
This commit is contained in:
syuilo
parent
c926b4fbcc
commit
4b3cf7834b
GPG key ID:
9EE6577A2A06F8F1
1 changed files with 1 additions and 0 deletions
|
|
@ -13,6 +13,7 @@ export async function readNotification(
|
|||
|
||||
// Update documents
|
||||
const result = await Notifications.update({
|
||||
notifieeId: userId,
|
||||
id: In(notificationIds),
|
||||
isRead: false,
|
||||
}, {
|
||||
|
|
|
|||
Loading…
Reference in a new issue