Skip to content

Commit

Permalink
Prevent user from changing their picture, but for the 'main' field
Browse files Browse the repository at this point in the history
  • Loading branch information
eprochasson committed Jul 10, 2013
1 parent bb73e6c commit 380abe9
Show file tree
Hide file tree
Showing 5 changed files with 7 additions and 6 deletions.
3 changes: 2 additions & 1 deletion TODO
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ Add a messaging system (instant chat)
Activities: what did one do, what can of activity can the others see.
Upload pictures

Check picture security, make sure users can't change their picture URL
Check picture security, make sure users can't change their picture URL
Check user security: do not allow user to change all their profile.
4 changes: 2 additions & 2 deletions client/views/profile/profile_pictures.js
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,9 @@ Template.profile_pictures.events({

Meteor.call('denormalizeProfilePicture', urls, function(err, res){
if(err){
console.log(err);
console.log('profile picture change not ok');
} else {
console.log(res);
console.log('profile picture change ok');
}
})

Expand Down
2 changes: 1 addition & 1 deletion client/views/widgets/online_friends.html
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,5 @@
</template>

<template name="online_friend">
<li><img src="{{profile.picture.thumbnail50x50}}" /><a href="{{profilePath}}/{{_id}}">{{profile.name}}</a> is online (<a class="startChat" href="#">chat</a>)</a></li>
<li><img src="{{picture.thumbnail50x50}}" /><a href="{{profilePath}}/{{_id}}">{{profile.name}}</a> is online (<a class="startChat" href="#">chat</a>)</a></li>
</template>
2 changes: 1 addition & 1 deletion collections/pictures.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Pictures.allow({
return isValidImage(myFile.contentType) && myFile.length < 1024*1024 && Pictures.find({owner: userId}).count() < 8 && userId && myFile.owner === userId;
},
update: function(userId, file, fields, modifier) {
return file.owner === userId;
return fields == 'main' && file.owner === userId; // Only allow user to change the 'main' field (which indicate the profile picture).
},
remove: function(userId, files) { return false; }
});
Expand Down
2 changes: 1 addition & 1 deletion server/users.js
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ Meteor.methods({
},
denormalizeProfilePicture: function(pixHandler){
if(pixHandler){
Meteor.users.update(Meteor.userId(), {$set: {'profile.picture': pixHandler}});
Meteor.users.update(Meteor.userId(), {$set: {'picture': pixHandler}});
return true;
} else {
throw new Meteor.Error(500, 'Internal Error');
Expand Down

0 comments on commit 380abe9

Please sign in to comment.