From c302b1c6fd25a89be949e1084b0b7b0ebbb6fede Mon Sep 17 00:00:00 2001
From: longkt90 <longkt90@gmail.com>
Date: Mon, 5 Aug 2013 16:22:33 +0700
Subject: [PATCH] Update pusher_controller.rb

prevent other users from subscribing to private channel of current user
---
 app/controllers/pusher_controller.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/pusher_controller.rb b/app/controllers/pusher_controller.rb
index e200a4b..65e8dd3 100644
--- a/app/controllers/pusher_controller.rb
+++ b/app/controllers/pusher_controller.rb
@@ -2,11 +2,11 @@ class PusherController < ApplicationController
   protect_from_forgery :except => :auth # stop rails CSRF protection for this action
   
   def auth
-    if current_user
+    if current_user && params[:channel_name] == "private-#{current_user.id}"
       response = Pusher[params[:channel_name]].authenticate(params[:socket_id])
       render :json => response
     else
       render :text => "Not authorized", :status => '403'
     end
   end
-end
\ No newline at end of file
+end