Merge pull request #63 from jhalter/fix_flat_news_bug

[rbdr/mobius] / hotline / transaction_handlers.go

diff --git a/hotline/transaction_handlers.go b/hotline/transaction_handlers.go
index abe2ea8d2c72c01695f7ad474f4c0c63c8857b38..56f7afa0d90f1f1c24f5ff81a08fc341420184f7 100644 (file)
--- a/hotline/transaction_handlers.go
+++ b/hotline/transaction_handlers.go
@@ -805,6 +805,15 @@ func HandleUpdateUser(cc *ClientConn, t *Transaction) (res []Transaction, err er
                        newAccess := accessBitmap{}
                        copy(newAccess[:], getField(fieldUserAccess, &subFields).Data[:])
 
+                       // Prevent account from creating new account with greater permission
+                       for i := 0; i < 64; i++ {
+                               if newAccess.IsSet(i) {
+                                       if !cc.Authorize(i) {
+                                               return append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself.")), err
+                                       }
+                               }
+                       }
+
                        err := cc.Server.NewUser(login, string(getField(fieldUserName, &subFields).Data), string(getField(fieldUserPassword, &subFields).Data), newAccess)
                        if err != nil {
                                return []Transaction{}, err
@@ -834,6 +843,16 @@ func HandleNewUser(cc *ClientConn, t *Transaction) (res []Transaction, err error
        newAccess := accessBitmap{}
        copy(newAccess[:], t.GetField(fieldUserAccess).Data[:])
 
+       // Prevent account from creating new account with greater permission
+       for i := 0; i < 64; i++ {
+               if newAccess.IsSet(i) {
+                       if !cc.Authorize(i) {
+                               res = append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself."))
+                               return res, err
+                       }
+               }
+       }
+
        if err := cc.Server.NewUser(login, string(t.GetField(fieldUserName).Data), string(t.GetField(fieldUserPassword).Data), newAccess); err != nil {
                return []Transaction{}, err
        }
@@ -1015,14 +1034,14 @@ func HandleTranOldPostNews(cc *ClientConn, t *Transaction) (res []Transaction, e
        newsPost := fmt.Sprintf(newsTemplate+"\r", cc.UserName, time.Now().Format(newsDateTemplate), t.GetField(fieldData).Data)
        newsPost = strings.Replace(newsPost, "\n", "\r", -1)
 
+       // update news in memory
+       cc.Server.FlatNews = append([]byte(newsPost), cc.Server.FlatNews...)
+
        // update news on disk
        if err := cc.Server.FS.WriteFile(filepath.Join(cc.Server.ConfigDir, "MessageBoard.txt"), cc.Server.FlatNews, 0644); err != nil {
                return res, err
        }
 
-       // update news in memory
-       cc.Server.FlatNews = append([]byte(newsPost), cc.Server.FlatNews...)
-
        // Notify all clients of updated news
        cc.sendAll(
                tranNewMsg,