Stinky fix for impersonation in chat auth.

This commit is contained in:
flash 2024-02-20 23:56:43 +00:00
parent 89ef9d9ad1
commit cb0c64f8ed
2 changed files with 15 additions and 10 deletions

View file

@ -263,6 +263,7 @@ class MisuzuContext {
$routingCtx->register(new \Misuzu\SharpChat\SharpChatRoutes(
$this->config->scopeTo('sockChat'),
$this->config->scopeTo('impersonate'),
$this->urls,
$this->usersCtx,
$this->authCtx,

View file

@ -3,25 +3,21 @@ namespace Misuzu\SharpChat;
use RuntimeException;
use Index\Colour\Colour;
use Index\Routing\IRouter;
use Index\Routing\IRouteHandler;
use Index\Routing\Route;
use Index\Routing\{IRouter,IRouteHandler,Route};
use Syokuhou\IConfig;
use Misuzu\RoutingContext;
use Misuzu\Auth\AuthContext;
use Misuzu\Auth\AuthInfo;
use Misuzu\Auth\Sessions;
use Misuzu\Auth\{AuthContext,AuthInfo,Sessions};
use Misuzu\Emoticons\Emotes;
use Misuzu\Perms\Permissions;
use Misuzu\URLs\URLRegistry;
use Misuzu\Users\Bans;
use Misuzu\Users\UsersContext;
use Misuzu\Users\{Bans,UsersContext,UserInfo};
final class SharpChatRoutes implements IRouteHandler {
private string $hashKey;
public function __construct(
private IConfig $config,
private IConfig $impersonateConfig, // this sucks lol
private URLRegistry $urls,
private UsersContext $usersCtx,
private AuthContext $authCtx,
@ -79,6 +75,14 @@ final class SharpChatRoutes implements IRouteHandler {
));
}
private function canImpersonateUserId(UserInfo $impersonator, string $targetId): bool {
if($impersonator->isSuperUser())
return true;
$whitelist = $impersonateConfig->getArray(sprintf('allow.u%s', $impersonator->getId()));
return in_array($targetId, $whitelist, true);
}
#[Route('OPTIONS', '/_sockchat/token')]
#[Route('GET', '/_sockchat/token')]
public function getToken($response, $request) {
@ -121,7 +125,7 @@ final class SharpChatRoutes implements IRouteHandler {
return ['ok' => false, 'err' => 'user'];
$userInfo = $this->usersCtx->getUsers()->getUser($sessionInfo->getUserId(), 'id');
$userId = $tokenInfo->hasImpersonatedUserId() && $userInfo->isSuperUser()
$userId = $tokenInfo->hasImpersonatedUserId() && $this->canImpersonateUserId($userInfo, $tokenInfo->getImpersonatedUserId())
? $tokenInfo->getImpersonatedUserId()
: $userInfo->getId();
@ -215,7 +219,7 @@ final class SharpChatRoutes implements IRouteHandler {
$this->authCtx->getSessions()->recordSessionActivity(sessionInfo: $sessionInfo, remoteAddr: $ipAddress);
$userInfo = $this->usersCtx->getUsers()->getUser($sessionInfo->getUserId(), 'id');
if($tokenInfo->hasImpersonatedUserId() && $userInfo->isSuperUser()) {
if($tokenInfo->hasImpersonatedUserId() && $this->canImpersonateUserId($userInfo, $tokenInfo->getImpersonatedUserId())) {
$userInfoReal = $userInfo;
try {