agw/overleaf-cep
1
0
Fork 0
mirror of https://github.com/yu-i-i/overleaf-cep.git synced 2026-05-27 02:51:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Hide access tokens if user is not the project owner.

Browse Source 
This prevents sneaky read-only users from sniffing out the read-write
link via the browser console.
This commit is contained in:
Shane Kilkelly
2017-10-05 13:18:30 +01:00
parent 6482cd7dd8
commit e4e558c0e6
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
services/web/app/coffee/Features/Editor/EditorHttpController.coffee
View File

@@ -22,6 +22,9 @@ module.exports = EditorHttpController =
Metrics.inc "editor.join-project"
EditorHttpController._buildJoinProjectView req, project_id, user_id, (error, project, privilegeLevel) ->
return next(error) if error?
# Hide access tokens if this is not the project owner
if privilegeLevel != 'owner' && project.tokens?
project.tokens = {readOnly: '', readAndWrite: ''}
res.json {
project: project
privilegeLevel: privilegeLevel