Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non-hosts can access the host UI via console commands #90

Open
ckingdev opened this issue May 29, 2016 · 3 comments
Open

Non-hosts can access the host UI via console commands #90

ckingdev opened this issue May 29, 2016 · 3 comments

Comments

@ckingdev
Copy link
Contributor

Opening the console in a room and executing Heim.chat.store.state.isManager = true changes the ui to that of a host. The user can now view the IDs of users in the room. Attempting to PM someone results in the room crashing. (see report d5d1b0c9eba24ef4861c9a61c45be3a9)
@jedevc
Copy link
Contributor

jedevc commented May 29, 2016

As for seeing the user ID's, that's always been possible using a bot or even just inspecting the packets going through the websocket.

The crashing could probably be fixed though...

@ckingdev
Copy link
Contributor Author

IMO it's more important for future development. It makes it much easier to have bugs wrt authentication if a user can already see the host UI.

@CylonicRaider
Copy link
Contributor

Au contraire, authentication checks ought to be independent of visibility checks. Making the host UI available (in a hidden way) can serve as a vehicle for testing instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jedevc @ckingdev @CylonicRaider