github/overleaf
1
0
Fork 0
mirror of https://github.com/overleaf/overleaf.git synced 2024-11-07 20:31:06 -05:00
Code Issues Projects Releases Packages Wiki Activity

Hide access tokens if user is not the project owner.

Browse source 
This prevents sneaky read-only users from sniffing out the read-write
link via the browser console.
This commit is contained in:
Shane Kilkelly 2017-10-05 13:18:30 +01:00
parent 6482cd7dd8
commit e4e558c0e6
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
services/web/app/coffee/Features/Editor/EditorHttpController.coffee
View file

@ -22,6 +22,9 @@ module.exports = EditorHttpController =
Metrics.inc "editor.join-project" Metrics.inc "editor.join-project"
EditorHttpController._buildJoinProjectView req, project_id, user_id, (error, project, privilegeLevel) -> EditorHttpController._buildJoinProjectView req, project_id, user_id, (error, project, privilegeLevel) ->
return next(error) if error? return next(error) if error?
# Hide access tokens if this is not the project owner
if privilegeLevel != 'owner' && project.tokens?
project.tokens = {readOnly: '', readAndWrite: ''}
res.json { res.json {
project: project project: project
privilegeLevel: privilegeLevel privilegeLevel: privilegeLevel