m33/FoundKey
1
0
Fork 0
forked from FoundKeyGang/FoundKey
Code Issues Pull requests Projects Releases Packages Wiki Activity

server: ensure only own notifications can be marked as read

Browse source 
Exploiting this before should already have been rather difficult because you
would need to know or guess the notification's ID. It is also of relatively
low security impact.

Changelog: Fixed
This commit is contained in:
syuilo 2022-09-06 20:54:49 +09:00 committed by Johann150
parent c926b4fbcc
commit 4b3cf7834b
Signed by untrusted user: Johann150
GPG key ID: 9EE6577A2A06F8F1
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
packages/backend/src/server/api/common/read-notification.ts
View file

@ -13,6 +13,7 @@ export async function readNotification(
// Update documents // Update documents
const result = await Notifications.update({ const result = await Notifications.update({
notifieeId: userId,
id: In(notificationIds), id: In(notificationIds),
isRead: false, isRead: false,
}, { }, {