Add user verification for admin commands #33
Conversation
galgeek
changed the title
| ":addHelper" : ":addHelper <nickname> as a Test Day helper", | ||
| ":next" : ":next <start as YYYY-MM-DDThh:mmZ> <end as YYYY-MM-DDThh:mmZ> <etherpad> <topic> as next Test Day", | ||
| ":stats" : ":stats display Test Day stats", | ||
| ":stop" : ":stop Test Day early" |
There was a problem hiding this comment.
I don't see why we need all those changes. Especially not on this PR, which should only cover additional admin checks. Please revert that and if really necessary file a new issue and PR.
There was a problem hiding this comment.
Well, lets forget that. I see now why it was used for.
galgeek
force-pushed
the
i28-add-admin-verification-per-command
branch
from
ad520f8
to
a80b734
Compare
galgeek
changed the title
galgeek
changed the title
|
hi @whimboo ! thanks for your feedback. the updated commit addresses it, except as I've noted in response to your line notes above. |
| } | ||
| break; | ||
| case ":addAdmin": | ||
| if (cmdLen >= 2){ |
There was a problem hiding this comment.
For now lets compare to exactly 2. We do not handle anything else than the first argument to the command. The same applies to the other commands.
There was a problem hiding this comment.
Done.
My logic was that Javascript functions generally ignore extra parameters, and we do report what we've done.
There was a problem hiding this comment.
Currently we pass in only a single argument, but my point is that the user has to make use of the correct command definition. We might have to do extra checks in the future, but for now that length check should be enough.
galgeek
force-pushed
the
i28-add-admin-verification-per-command
branch
from
a80b734
to
d224041
Compare
|
Hi @whimboo ! Thanks for your feedback. I've updated this pull request. I've also responded to a couple of your line notes above. Maybe this is ready to be merged? |
|
hi @whimboo ! I've added another commit, adding verification for arguments to :addAdmin and :addHelper, checking first that the to be added is signed on to the channel before verifying with client.whois. This code tests fine, but I'm sure it could be condensed... I'm curious to know whether you're comfortable with these limits on an added nick. |
| @@ -126,72 +127,95 @@ client.addListener('message', function(from, to, message){ | |||
|
|
|||
| client.addListener('pm', function(from, message){ // private messages to bot | |||
| checkTestDay(); | |||
| if (message.search(':adminhelp') === 0){ | |||
| var command = message.split(" "); | |||
| if (command[0] in adminhelp){ // admin command | |||
| if (testDayAdmins.indexOf(from) >= 0){ | |||
There was a problem hiding this comment.
Lets negate this check and return early so that we can reduce the nested if/else conditions.
galgeek
force-pushed
the
i28-add-admin-verification-per-command
branch
from
5e7debf
to
e7b943f
Compare
|
hi @whimboo I've restructured this listener to decrease nesting. I've also backed out the checks on arguments to :addAdmin and :addHelper. Since we already check for logged on user of a registered nick and membership in the admin list before we run any admin command, it doesn't add much security to check these arguments, too. Moreover, it's not at all clear how we might verify a nick that's not currently signed in; that should probably be a separate issue. thank you for your feedback! |
|
hi @whimboo I see some possibilities, in /help ... output from the Mozilla IRC server, for doing additional validation of arguments to :addAdmin/:addHelper, in particular, the /check command available to operators (though apparently not to all channel operators, so I can't test them with op on the #testdaybotTest channel), and there may be others. Maybe you know more? I do think this should be a separate issue. |
Right now I think we should not allow the action and abort it. Only identified users should be able to get added. |
|
Also not exactly sure what you mean with the /help output. Maybe you can clarify? |
|
Hi @whimboo Mozilla's IRC server has an operator command, |
galgeek
force-pushed
the
i28-add-admin-verification-per-command
branch
from
e7b943f
to
340f07b
Compare
|
Hi @whimboo |
|
Hm, |
|
|
||
| client.whois(from, function(whoisinfo){ | ||
| if (!(whoisinfo.accountinfo && whoisinfo.accountinfo.search('is logged in as') >= 0)){ | ||
| client.say(from, "Sorry! You're not logged in with a registered nick."); |
There was a problem hiding this comment.
You can also return early here.
nit: something I have seen a lot and which might be helpful to you... opening { brackets will also get a blank before. You might want to have a look at our general Mozilla coding styles: https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Coding_Style
galgeek
force-pushed
the
i28-add-admin-verification-per-command
branch
from
340f07b
to
18f5b1d
Compare
|
This looks fine to me. I will get it merged in a minute. Thanks Barbara! |
hi @whimboo !
here's a patch for issue #28. I've run some quick tests on it, seems ok.
this could perhaps still be tidied up some, but it is far better than the code it replaces in the first patch.
I've added some error-checking and tweaked the adminhelp array to support all this.