mirror of
https://github.com/girlbossceo/conduwuit.git
synced 2024-11-27 20:45:30 +00:00
dont allow "remote admins" to run public escaped cmds on behalf of others
Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
parent
08bf074cbb
commit
03c04ce0a1
|
@ -18,7 +18,7 @@ use serde_json::value::to_raw_value;
|
|||
use tokio::{sync::Mutex, task::JoinHandle};
|
||||
use tracing::error;
|
||||
|
||||
use crate::{pdu::PduBuilder, services, PduEvent};
|
||||
use crate::{pdu::PduBuilder, services, user_is_local, PduEvent};
|
||||
|
||||
pub type HandlerResult = Pin<Box<dyn Future<Output = Result<AdminEvent, Error>> + Send>>;
|
||||
pub type Handler = fn(AdminEvent) -> HandlerResult;
|
||||
|
@ -276,6 +276,11 @@ pub async fn is_admin_command(pdu: &PduEvent, body: &str) -> bool {
|
|||
return false;
|
||||
}
|
||||
|
||||
// only allow public escaped commands by local admins
|
||||
if is_public_escape && !user_is_local(&pdu.sender) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check if server-side command-escape is disabled by configuration
|
||||
if is_public_escape && !services().globals.config.admin_escape_commands {
|
||||
return false;
|
||||
|
|
Loading…
Reference in a new issue