Update pusher_controller.rb

prevent other users from subscribing to private channel of current user
pusher · Aug 5, 2013 · c302b1c · c302b1c
1 parent 3eddfbb
commit c302b1c
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/app/controllers/pusher_controller.rb b/app/controllers/pusher_controller.rb
@@ -2,11 +2,11 @@ class PusherController < ApplicationController
   protect_from_forgery :except => :auth # stop rails CSRF protection for this action
 
   def auth
-    if current_user
+    if current_user && params[:channel_name] == "private-#{current_user.id}"
       response = Pusher[params[:channel_name]].authenticate(params[:socket_id])
       render :json => response
     else
       render :text => "Not authorized", :status => '403'
     end
   end
-end
+end