From 46f94b3c5aab156b6b6d1406fa7d5aa00fc85089 Mon Sep 17 00:00:00 2001 From: Richard Lewis Date: Fri, 23 Feb 2018 14:53:52 +0000 Subject: [PATCH] Ensure that roomId is validated before accessing room-based widgets. --- src/ScalarMessaging.js | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/src/ScalarMessaging.js b/src/ScalarMessaging.js index ac68d1a2d2..abd1caaec1 100644 --- a/src/ScalarMessaging.js +++ b/src/ScalarMessaging.js @@ -334,7 +334,6 @@ function setWidget(event, roomId) { }; if (userWidget) { - console.warn('Adding user widget'); const client = MatrixClientPeg.get(); const userWidgets = client.getAccountData('m.widgets').getContent() || {}; @@ -357,7 +356,6 @@ function setWidget(event, roomId) { } client.setAccountData('m.widgets', userWidgets); - console.warn(`Set user widgets to:`, client.getAccountData('m.widgets')); sendResponse(event, { success: true, }); @@ -619,17 +617,14 @@ const onMessage = function(event) { const userId = event.data.user_id; // These APIs don't require roomId + // Get and set user widgets (not associated with a specific room) + // If roomId is specified, it must be validated, so room-based widgets agreed + // handled further down. if (event.data.action === "get_widgets") { - getWidgets(event, roomId); + getWidgets(event, null); return; } else if (event.data.action === "set_widget") { - setWidget(event, roomId); - return; - } else if (event.data.action === "add_widget_asset") { - addWidgetAsset(event, roomId); - return; - } else if (event.data.action === "remove_widget_asset") { - removeWidgetAsset(event, roomId); + setWidget(event, null); return; } @@ -656,6 +651,15 @@ const onMessage = function(event) { return; } + // Get and set room-based widgets + if (event.data.action === "get_widgets") { + getWidgets(event, null); + return; + } else if (event.data.action === "set_widget") { + setWidget(event, null); + return; + } + // These APIs don't require userId if (event.data.action === "join_rules_state") { getJoinRules(event, roomId);