forked from FoundKeyGang/FoundKey
server: ensure only own notifications can be marked as read
Exploiting this before should already have been rather difficult because you would need to know or guess the notification's ID. It is also of relatively low security impact. Changelog: Fixed
This commit is contained in:
parent
c926b4fbcc
commit
4b3cf7834b
1 changed files with 1 additions and 0 deletions
|
@ -13,6 +13,7 @@ export async function readNotification(
|
|||
|
||||
// Update documents
|
||||
const result = await Notifications.update({
|
||||
notifieeId: userId,
|
||||
id: In(notificationIds),
|
||||
isRead: false,
|
||||
}, {
|
||||
|
|
Loading…
Reference in a new issue