diff options
| author | Scott Ostler <scottbot9000@gmail.com> | 2010-10-25 19:11:36 -0400 |
|---|---|---|
| committer | Scott Ostler <scottbot9000@gmail.com> | 2010-10-25 19:11:36 -0400 |
| commit | 95b8cfe4abce19275e9302c2d0150b096f609704 (patch) | |
| tree | f95ab8979fae9d3d0a1d008e2aee6c0744407434 /src/site.clj | |
| parent | a77897fd4a474e5e2cfa292af069c33f8d3aa6ac (diff) | |
Added super ghetto mgmt security
Diffstat (limited to 'src/site.clj')
| -rw-r--r-- | src/site.clj | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/src/site.clj b/src/site.clj index 68190d5..cd35419 100644 --- a/src/site.clj +++ b/src/site.clj @@ -783,10 +783,17 @@ WHERE u.user_id = ANY(?)" (add-message (build-msg nick content msg-id) room))
(resp-success msg-id)))))
-(defn validated-msg [session params]
- (if (validate-room-access (params :room) session)
- (msg session params)
- (resp-error "UNKNOWN_ROOM")))
+
+(defn is-bad-mgmt? [params request]
+ (and (= (lower-case (params :room)) "mgmt")
+ (not
+ (= (lower-case (get (:headers request) "referer")) "http://dump.fm/mgmt/idontgetit"))))
+
+(defn validated-msg [session params request]
+ (cond
+ (not (validate-room-access (params :room) session)) (resp-error "UNKNOWN_ROOM")
+ (is-bad-mgmt? params request) (resp-error "INVALID")
+ :else (msg session params)))
;; Browser
@@ -1199,7 +1206,7 @@ WHERE u.user_id = ANY(?)" (copy (:tempfile image) dest)
[200 "OK"]))))
-(defn upload [session params]
+(defn upload [session params request]
(let [room-key (params :room)
nick (session :nick)
user-id (session :user_id)
@@ -1210,6 +1217,7 @@ WHERE u.user_id = ANY(?)" (not image) [200 "INVALID_REQUEST"]
mute [200 (format-mute mute)]
(not has-access) [200 "UNKNOWN_ROOM"]
+ (is-bad-mgmt? params request) [200 "INVALID_REQUEST"]
:else (do-upload session image (lookup-room room-key)))))
(defn upload-photo [session params]
@@ -1257,7 +1265,7 @@ WHERE u.user_id = ANY(?)" (def mgmt-pw "idontgetit")
-(defn mgmt [session url pw]
+(defn mgmt [session pw]
(if (= (and pw (lower-case pw)) mgmt-pw)
(validated-chat session "mgmt" "chat")
(validated-chat session "mgmt")))
@@ -1344,8 +1352,8 @@ WHERE u.user_id = ANY(?)" (GET "/test/hiscores/week" (hiscore-test session params "week"))
(GET "/test/hiscores/month" (hiscore-test session params "month"))
- (GET "/mgmt" (mgmt session request nil))
- (GET "/mgmt/:pw" (mgmt session request (:pw params)))
+ (GET "/mgmt" (mgmt session nil))
+ (GET "/mgmt/:pw" (mgmt session (:pw params)))
;; Events
; (GET "/event" (event-page session))
@@ -1356,7 +1364,7 @@ WHERE u.user_id = ANY(?)" (GET "/fullscreen" (serve-meme session "fullscreen"))
;; TODO: add form tokens for all destructive actions
- (POST "/msg" (validated-msg session params))
+ (POST "/msg" (validated-msg session params request))
(POST "/submit-registration" (register session params request))
(POST "/update-profile" (update-profile session params))
(GET "/directory" (directory session 0))
@@ -1423,7 +1431,7 @@ WHERE u.user_id = ANY(?)" (ANY "*" (unknown-page)))
(defroutes multipart
- (POST "/upload/message" (upload session params))
+ (POST "/upload/message" (upload session params request))
(POST "/upload/photo" (upload-photo session params))
(POST "/upload/avatar" (upload-avatar session params)))
|