From 3b666fef77c5c70f006c8d282825a3cd7e572af3 Mon Sep 17 00:00:00 2001 From: shamoon <4887959+shamoon@users.noreply.github.com> Date: Wed, 9 Aug 2023 08:52:23 -0700 Subject: [PATCH] Add backend check for ws message ownership --- src-ui/src/app/services/consumer-status.service.ts | 2 +- src/paperless/consumers.py | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src-ui/src/app/services/consumer-status.service.ts b/src-ui/src/app/services/consumer-status.service.ts index 3e21da138..2b587fbfd 100644 --- a/src-ui/src/app/services/consumer-status.service.ts +++ b/src-ui/src/app/services/consumer-status.service.ts @@ -146,7 +146,7 @@ export class ConsumerStatusService { this.statusWebSocket.onmessage = (ev) => { let statusMessage: WebsocketConsumerStatusMessage = JSON.parse(ev['data']) - // tasks are async so we rely on checking user id + // fallback if backend didnt restrict message if ( statusMessage.owner_id && statusMessage.owner_id !== this.settingsService.currentUser?.id && diff --git a/src/paperless/consumers.py b/src/paperless/consumers.py index 7c34c8c39..cf1a3b548 100644 --- a/src/paperless/consumers.py +++ b/src/paperless/consumers.py @@ -10,6 +10,16 @@ class StatusConsumer(WebsocketConsumer): def _authenticated(self): return "user" in self.scope and self.scope["user"].is_authenticated + def _is_owner_or_unowned(self, data): + return ( + ( + self.scope["user"].is_superuser + or self.scope["user"].id == data["owner_id"] + ) + if "owner_id" in data and "user" in self.scope + else True + ) + def connect(self): if not self._authenticated(): raise DenyConnection @@ -30,4 +40,5 @@ class StatusConsumer(WebsocketConsumer): if not self._authenticated(): self.close() else: - self.send(json.dumps(event["data"])) + if self._is_owner_or_unowned(event["data"]): + self.send(json.dumps(event["data"]))