Improved uicustomevent security and events, #3823

2024-08-16 04:00:28 +03:00 · 2022-03-30 07:14:14 -07:00 · 2022-03-30 07:14:14 -07:00 · 5a81c84d67
commit 5a81c84d67
parent 3e0b76d423
3 changed files with 43 additions and 9 deletions
--- a/meshuser.js
+++ b/meshuser.js
@ -4244,13 +4244,31 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                break;
            }
            case 'uicustomevent': {
-                // Event the custom UI action
-                var message = { etype: 'user', userid: user._id, username: user.name, action: 'uicustomevent', domain: domain.id, uisection: command.section, element: command.element  };
-                if (command.selectedDevices != null) { message.selectedDevices = command.selectedDevices; }
-                if (command.src != null) { message.src = command.src; }
-                if (command.values != null) { message.values = command.values; }
-                if (typeof command.logmsg == 'string') { message.msg = command.logmsg; } else { message.nolog = 1; }
-                parent.parent.DispatchEvent(['*', user._id], obj, message);
+                if ((command.src != null) && (Array.isArray(command.src.selectedDevices))) {
+                    // Contains a list of nodeid's, check that we have permissions for them.
+                    parent.GetNodesWithRights(domain, user, command.src.selectedDevices, function (nodes) {
+                        var nodeids = [];
+                        for (var i in nodes) { nodeids.push(i); }
+                        if (nodeids.length == 0) return;
+
+                        // Event the custom UI action
+                        var message = { etype: 'user', userid: user._id, username: user.name, action: 'uicustomevent', domain: domain.id, uisection: command.section, element: command.element };
+                        if (nodeids.length == 1) { message.nodeid = nodeids[0]; }
+                        if (command.selectedDevices != null) { message.selectedDevices = command.selectedDevices; }
+                        if (command.src != null) { message.src = command.src; }
+                        if (command.values != null) { message.values = command.values; }
+                        if (typeof command.logmsg == 'string') { message.msg = command.logmsg; } else { message.nolog = 1; }
+                        parent.parent.DispatchEvent(['*', user._id], obj, message);
+                    });
+                } else {
+                    // Event the custom UI action
+                    var message = { etype: 'user', userid: user._id, username: user.name, action: 'uicustomevent', domain: domain.id, uisection: command.section, element: command.element };
+                    if (command.selectedDevices != null) { message.selectedDevices = command.selectedDevices; }
+                    if (command.src != null) { message.src = command.src; }
+                    if (command.values != null) { message.values = command.values; }
+                    if (typeof command.logmsg == 'string') { message.msg = command.logmsg; } else { message.nolog = 1; }
+                    parent.parent.DispatchEvent(['*', user._id], obj, message);
+                }
                break;
            }
            case 'serverBackup': {
--- a/views/default.handlebars
+++ b/views/default.handlebars
@ -10597,8 +10597,12 @@
            if (xevent) {
                var x = '<div style=overflow-y:auto;max-height:300px>';
                for (var i in xevent) {
-                    if ((i == 'h') || (i == '_id') || (i == 'ids') || (i == 'domain') || (xevent[i] == null) || (typeof xevent[i] == 'object')) continue;
-                    x += addHtmlValue3(EscapeHtml(i), EscapeHtml(xevent[i]));
+                    if ((i == 'h') || (i == '_id') || (i == 'ids') || (i == 'domain') || (xevent[i] == null)) continue;
+                    if (typeof xevent[i] == 'object') {
+                        x += addHtmlValue3(EscapeHtml(i), EscapeHtml(JSON.stringify(xevent[i])));
+                    } else {
+                        x += addHtmlValue3(EscapeHtml(i), EscapeHtml(xevent[i]));
+                    }
                }
                x += '</div>';
                setDialogMode(2, "Event Details", 9, null, x);
--- a/webserver.js
+++ b/webserver.js
@ -7158,6 +7158,18 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
        return rights;
    }

+
+    // Return the node and rights for a array of nodeids
+    obj.GetNodesWithRights = function (domain, user, nodeids, func) {
+        var rc = nodeids.length, r = {};
+        for (var i in nodeids) {
+            obj.GetNodeWithRights(domain, user, nodeids[i], function (node, rights, visible) {
+                if ((node != null) && (visible == true)) { r[node._id] = { node: node, rights: rights }; if (--rc == 0) { func(r); } }
+            });
+        }
+    }
+
+
    // Return the node and rights for a given nodeid
    obj.GetNodeWithRights = function (domain, user, nodeid, func) {
        // Perform user pre-validation