TudbuT/conduit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

dont allow "remote admins" to run public escaped cmds on behalf of others

Browse source 
Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry 2024-06-14 23:46:07 -04:00
parent 08bf074cbb
commit 03c04ce0a1
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/service/admin/mod.rs
View file

@ -18,7 +18,7 @@ use serde_json::value::to_raw_value;
use tokio::{sync::Mutex, task::JoinHandle};
use tracing::error;
use crate::{pdu::PduBuilder, services, PduEvent};
use crate::{pdu::PduBuilder, services, user_is_local, PduEvent};
pub type HandlerResult = Pin<Box<dyn Future<Output = Result<AdminEvent, Error>> + Send>>;
pub type Handler = fn(AdminEvent) -> HandlerResult;
@ -276,6 +276,11 @@ pub async fn is_admin_command(pdu: &PduEvent, body: &str) -> bool {
return false;
}
// only allow public escaped commands by local admins
if is_public_escape && !user_is_local(&pdu.sender) {
return false;
}
// Check if server-side command-escape is disabled by configuration
if is_public_escape && !services().globals.config.admin_escape_commands {
return false;