Do full player role verification when joining a game.

author: Tor Andersson <tor@ccxvii.net> 2022-02-14 15:06:00 +0100
committer: Tor Andersson <tor@ccxvii.net> 2022-02-15 12:18:30 +0100
commit: 69b10b824457cb688464e7445b2d68e99cc82377 (patch)
tree: 9d4c81b06c04032252203466ba724cda671bd25a /server.js
parent: f6b774bd88a4249190ea1d304495e5e086e02ac7 (diff)
download: server-69b10b824457cb688464e7445b2d68e99cc82377.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/server.js b/server.js
index 86d15b9..dd88d21 100644
--- a/server.js
+++ b/server.js
@@ -1269,6 +1269,16 @@ app.get('/join-events/:game_id', must_be_logged_in, function (req, res) {
 app.get('/join/:game_id/:role', must_be_logged_in, function (req, res) {
 	let game_id = req.params.game_id | 0;
 	let role = req.params.role;
+	let game = SQL_SELECT_GAME.get(game_id);
+	let roles = get_game_roles(game.title_id, game.scenario, game.options);
+	if (game.is_random) {
+		let m = role.match(/^Random (\d+)$/);
+		if (!m || Number(m[1]) < 1 || Number(m[1]) > roles.length)
+			return res.status(404).send("Invalid role.");
+	} else {
+		if (!roles.includes(role))
+			return res.status(404).send("Invalid role.");
+	}
 	let info = SQL_INSERT_PLAYER_ROLE.run(game_id, role, req.user.user_id);
 	if (info.changes === 1) {
 		update_join_clients_players(game_id);
author	Tor Andersson <tor@ccxvii.net>	2022-02-14 15:06:00 +0100
committer	Tor Andersson <tor@ccxvii.net>	2022-02-15 12:18:30 +0100
commit	69b10b824457cb688464e7445b2d68e99cc82377 (patch)
tree	9d4c81b06c04032252203466ba724cda671bd25a /server.js
parent	f6b774bd88a4249190ea1d304495e5e086e02ac7 (diff)
download	server-69b10b824457cb688464e7445b2d68e99cc82377.tar.gz