Security Fix 1: IDOR in setCreateTranslation. Non-admin could change Custom Translation.

Thanks to Joshua Rogers of joshua.hu, Twitter MegaManSec.
2025-12-30 06:08:48 +01:00 · 2025-12-29 16:20:17 +02:00 · 2025-12-29 16:20:17 +02:00 · f244a43771
commit f244a43771
parent 48e856fca2
2 changed files with 19 additions and 1 deletions
--- a/client/components/settings/translationBody.js
+++ b/client/components/settings/translationBody.js
@ -208,7 +208,7 @@ Template.newTranslationPopup.events({
 Template.settingsTranslationPopup.events({
  'click #deleteButton'(event) {
    event.preventDefault();
-    Translation.remove(this.translationId);
+    Meteor.call('deleteTranslation', this.translationId);
    Popup.back();
  }
 });
--- a/models/translation.js
+++ b/models/translation.js
@ -98,6 +98,10 @@ if (Meteor.isServer) {
      check(text, String);
      check(translationText, String);

+      if (!ReactiveCache.getCurrentUser()?.isAdmin) {
+        throw new Meteor.Error('not-authorized');
+      }
+
      const nTexts = ReactiveCache.getTranslations({ language, text }).length;
      if (nTexts > 0) {
        throw new Meteor.Error('text-already-taken');
@ -112,10 +116,24 @@ if (Meteor.isServer) {
    setTranslationText(translation, translationText) {
      check(translation, Object);
      check(translationText, String);
+
+      if (!ReactiveCache.getCurrentUser()?.isAdmin) {
+        throw new Meteor.Error('not-authorized');
+      }
+
      Translation.update(translation, {
        $set: { translationText: translationText },
      });
    },
+    deleteTranslation(translationId) {
+      check(translationId, String);
+
+      if (!ReactiveCache.getCurrentUser()?.isAdmin) {
+        throw new Meteor.Error('not-authorized');
+      }
+
+      Translation.remove(translationId);
+    },
  });
 }