From 69b10b824457cb688464e7445b2d68e99cc82377 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor@ccxvii.net>
Date: Mon, 14 Feb 2022 15:06:00 +0100
Subject: Do full player role verification when joining a game.

---
 server.js | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'server.js')

diff --git a/server.js b/server.js
index 86d15b9..dd88d21 100644
--- a/server.js
+++ b/server.js
@@ -1269,6 +1269,16 @@ app.get('/join-events/:game_id', must_be_logged_in, function (req, res) {
 app.get('/join/:game_id/:role', must_be_logged_in, function (req, res) {
 	let game_id = req.params.game_id | 0;
 	let role = req.params.role;
+	let game = SQL_SELECT_GAME.get(game_id);
+	let roles = get_game_roles(game.title_id, game.scenario, game.options);
+	if (game.is_random) {
+		let m = role.match(/^Random (\d+)$/);
+		if (!m || Number(m[1]) < 1 || Number(m[1]) > roles.length)
+			return res.status(404).send("Invalid role.");
+	} else {
+		if (!roles.includes(role))
+			return res.status(404).send("Invalid role.");
+	}
 	let info = SQL_INSERT_PLAYER_ROLE.run(game_id, role, req.user.user_id);
 	if (info.changes === 1) {
 		update_join_clients_players(game_id);
-- 
cgit v1.2.3