v0.11.9 fixed tenant isolation bug
This commit is contained in:
@@ -3,6 +3,8 @@ const router = express.Router();
|
||||
const { query, queryOne, queryResult, exec } = require('../models/db');
|
||||
const { authMiddleware, adminMiddleware, teamManagerMiddleware } = require('../middleware/auth');
|
||||
|
||||
const R = (schema, type, id) => `${schema}:${type}:${id}`;
|
||||
|
||||
module.exports = function(io) {
|
||||
|
||||
// ── Helpers ───────────────────────────────────────────────────────────────────
|
||||
@@ -18,14 +20,14 @@ async function postSysMsg(schema, groupId, actorId, content) {
|
||||
u.hide_admin_tag AS user_hide_admin_tag, u.about_me AS user_about_me, u.allow_dm AS user_allow_dm
|
||||
FROM messages m JOIN users u ON m.user_id=u.id WHERE m.id=$1
|
||||
`, [r.rows[0].id]);
|
||||
if (msg) { msg.reactions = []; io.to(`group:${groupId}`).emit('message:new', msg); }
|
||||
if (msg) { msg.reactions = []; io.to(R(schema,'group',groupId)).emit('message:new', msg); }
|
||||
}
|
||||
|
||||
async function addUserSilent(schema, dmGroupId, userId) {
|
||||
await exec(schema, 'INSERT INTO group_members (group_id,user_id) VALUES ($1,$2) ON CONFLICT DO NOTHING', [dmGroupId, userId]);
|
||||
io.in(`user:${userId}`).socketsJoin(`group:${dmGroupId}`);
|
||||
io.in(R(schema,'user',userId)).socketsJoin(R(schema,'group',dmGroupId));
|
||||
const dmGroup = await queryOne(schema, 'SELECT * FROM groups WHERE id=$1', [dmGroupId]);
|
||||
if (dmGroup) io.to(`user:${userId}`).emit('group:new', { group: dmGroup });
|
||||
if (dmGroup) io.to(R(schema,'user',userId)).emit('group:new', { group: dmGroup });
|
||||
}
|
||||
|
||||
async function addUser(schema, dmGroupId, userId, actorId) {
|
||||
@@ -36,8 +38,8 @@ async function addUser(schema, dmGroupId, userId, actorId) {
|
||||
|
||||
async function removeUser(schema, dmGroupId, userId, actorId) {
|
||||
await exec(schema, 'DELETE FROM group_members WHERE group_id=$1 AND user_id=$2', [dmGroupId, userId]);
|
||||
io.in(`user:${userId}`).socketsLeave(`group:${dmGroupId}`);
|
||||
io.to(`user:${userId}`).emit('group:deleted', { groupId: dmGroupId });
|
||||
io.in(R(schema,'user',userId)).socketsLeave(R(schema,'group',dmGroupId));
|
||||
io.to(R(schema,'user',userId)).emit('group:deleted', { groupId: dmGroupId });
|
||||
const u = await queryOne(schema, 'SELECT name,display_name FROM users WHERE id=$1', [userId]);
|
||||
await postSysMsg(schema, dmGroupId, actorId, `${u?.display_name||u?.name||'A user'} has been removed from the conversation.`);
|
||||
}
|
||||
@@ -154,8 +156,8 @@ router.patch('/multigroup/:id', authMiddleware, teamManagerMiddleware, async (re
|
||||
`, [mg.id, uid]);
|
||||
if (!stillIn) {
|
||||
await exec(req.schema, 'DELETE FROM group_members WHERE group_id=$1 AND user_id=$2', [mg.dm_group_id, uid]);
|
||||
io.in(`user:${uid}`).socketsLeave(`group:${mg.dm_group_id}`);
|
||||
io.to(`user:${uid}`).emit('group:deleted', { groupId: mg.dm_group_id });
|
||||
io.in(R(schema,'user',uid)).socketsLeave(R(schema,'group',mg.dm_group_id));
|
||||
io.to(R(schema,'user',uid)).emit('group:deleted', { groupId: mg.dm_group_id });
|
||||
}
|
||||
}
|
||||
await postSysMsg(req.schema, mg.dm_group_id, req.user.id, `A group has been removed from this conversation.`);
|
||||
@@ -173,7 +175,7 @@ router.delete('/multigroup/:id', authMiddleware, teamManagerMiddleware, async (r
|
||||
if (mg.dm_group_id) {
|
||||
const members = (await query(req.schema, 'SELECT user_id FROM group_members WHERE group_id=$1', [mg.dm_group_id])).map(r => r.user_id);
|
||||
await exec(req.schema, 'DELETE FROM groups WHERE id=$1', [mg.dm_group_id]);
|
||||
for (const uid of members) io.to(`user:${uid}`).emit('group:deleted', { groupId: mg.dm_group_id });
|
||||
for (const uid of members) io.to(R(schema,'user',uid)).emit('group:deleted', { groupId: mg.dm_group_id });
|
||||
}
|
||||
await exec(req.schema, 'DELETE FROM multi_group_dms WHERE id=$1', [mg.id]);
|
||||
res.json({ success: true });
|
||||
@@ -281,8 +283,8 @@ router.patch('/:id', authMiddleware, teamManagerMiddleware, async (req, res) =>
|
||||
`, [mg.id, uid]);
|
||||
if (!stillIn) {
|
||||
await exec(req.schema, 'DELETE FROM group_members WHERE group_id=$1 AND user_id=$2', [mg.dm_group_id, uid]);
|
||||
io.in(`user:${uid}`).socketsLeave(`group:${mg.dm_group_id}`);
|
||||
io.to(`user:${uid}`).emit('group:deleted', { groupId: mg.dm_group_id });
|
||||
io.in(R(schema,'user',uid)).socketsLeave(R(schema,'group',mg.dm_group_id));
|
||||
io.to(R(schema,'user',uid)).emit('group:deleted', { groupId: mg.dm_group_id });
|
||||
}
|
||||
}
|
||||
if (addedUids.length > 0) await postSysMsg(req.schema, mg.dm_group_id, req.user.id, `Members were added to group "${ug.name}" and have joined this conversation.`);
|
||||
@@ -303,7 +305,7 @@ router.delete('/:id', authMiddleware, teamManagerMiddleware, async (req, res) =>
|
||||
if (ug.dm_group_id) {
|
||||
const members = (await query(req.schema, 'SELECT user_id FROM group_members WHERE group_id=$1', [ug.dm_group_id])).map(r => r.user_id);
|
||||
await exec(req.schema, 'DELETE FROM groups WHERE id=$1', [ug.dm_group_id]);
|
||||
for (const uid of members) { io.in(`user:${uid}`).socketsLeave(`group:${ug.dm_group_id}`); io.to(`user:${uid}`).emit('group:deleted', { groupId: ug.dm_group_id }); }
|
||||
for (const uid of members) { io.in(R(schema,'user',uid)).socketsLeave(R(schema,'group',ug.dm_group_id)); io.to(R(schema,'user',uid)).emit('group:deleted', { groupId: ug.dm_group_id }); }
|
||||
}
|
||||
await exec(req.schema, 'DELETE FROM user_groups WHERE id=$1', [ug.id]);
|
||||
res.json({ success: true });
|
||||
|
||||
Reference in New Issue
Block a user