mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-30 07:15:25 -05:00
Hide access tokens if user is not the project owner.
This prevents sneaky read-only users from sniffing out the read-write link via the browser console.
This commit is contained in:
parent
6482cd7dd8
commit
e4e558c0e6
1 changed files with 3 additions and 0 deletions
|
@ -22,6 +22,9 @@ module.exports = EditorHttpController =
|
|||
Metrics.inc "editor.join-project"
|
||||
EditorHttpController._buildJoinProjectView req, project_id, user_id, (error, project, privilegeLevel) ->
|
||||
return next(error) if error?
|
||||
# Hide access tokens if this is not the project owner
|
||||
if privilegeLevel != 'owner' && project.tokens?
|
||||
project.tokens = {readOnly: '', readAndWrite: ''}
|
||||
res.json {
|
||||
project: project
|
||||
privilegeLevel: privilegeLevel
|
||||
|
|
Loading…
Reference in a new issue