Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE-2024-21630: Check permission to subscribe others using invite link.
This commit updates the API to check the permission to subscribe other users while creating multi-use invites. The API will raise error if the user passes the "stream_ids" parameter (even when it contains only default streams) and the calling user does not have permission to subscribe others to streams. We did not add this before as we only allowed admins to create multiuse invites, but now we have added a setting which can be used to allow users with other roles as well to create multiuse invites.
- Loading branch information
Showing
2 changed files
with
62 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters