Merge pull request #22 from piranha32/dont_snoop_on_mail

Block users from reading mail for other nodes
This commit is contained in:
TC² 2024-06-29 08:24:10 -04:00 committed by GitHub
commit e2c06ec287
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 23 additions and 11 deletions

View file

@ -258,10 +258,19 @@ def handle_mail_steps(sender_id, message, step, state, interface, bbs_nodes):
elif step == 2: elif step == 2:
mail_id = int(message) mail_id = int(message)
sender, date, subject, content, unique_id = get_mail_content(mail_id) try:
# ERROR: sender_id is not what is stored in the DB
sender_node_id = get_node_id_from_num(sender_id, interface)
sender, date, subject, content, unique_id = get_mail_content(mail_id, sender_node_id)
send_message(f"Date: {date}\nFrom: {sender}\nSubject: {subject}\n{content}", sender_id, interface) send_message(f"Date: {date}\nFrom: {sender}\nSubject: {subject}\n{content}", sender_id, interface)
send_message("Would you like to delete this message now that you've viewed it? Y/N", sender_id, interface) send_message("Would you like to delete this message now that you've viewed it? Y/N", sender_id, interface)
update_user_state(sender_id, {'command': 'MAIL', 'step': 4, 'mail_id': mail_id, 'unique_id': unique_id}) update_user_state(sender_id, {'command': 'MAIL', 'step': 4, 'mail_id': mail_id, 'unique_id': unique_id})
except TypeError:
# get_main_content returned None. Node tried to access somebody's else mail message
logging.info(f"Node {sender_id} tried to access non-existent message")
send_message(f"Mail not found", sender_id, interface)
update_user_state(sender_id, None)
elif step == 3: elif step == 3:
short_name = message short_name = message
@ -283,7 +292,8 @@ def handle_mail_steps(sender_id, message, step, state, interface, bbs_nodes):
elif step == 4: elif step == 4:
if message.lower() == "y": if message.lower() == "y":
unique_id = state['unique_id'] unique_id = state['unique_id']
delete_mail(unique_id, bbs_nodes, interface) sender_node_id = get_node_id_from_num(sender_id, interface)
delete_mail(unique_id, sender_node_id, bbs_nodes, interface)
send_message("The message has been deleted 🗑️", sender_id, interface) send_message("The message has been deleted 🗑️", sender_id, interface)
else: else:
send_message("The message has been kept in your inbox.✉️\nJust don't let it get as messy as your regular email inbox (ಠ_ಠ)", sender_id, interface) send_message("The message has been kept in your inbox.✉️\nJust don't let it get as messy as your regular email inbox (ಠ_ಠ)", sender_id, interface)

View file

@ -123,24 +123,26 @@ def get_mail(recipient_id):
c.execute("SELECT id, sender_short_name, subject, date, unique_id FROM mail WHERE recipient = ?", (recipient_id,)) c.execute("SELECT id, sender_short_name, subject, date, unique_id FROM mail WHERE recipient = ?", (recipient_id,))
return c.fetchall() return c.fetchall()
def get_mail_content(mail_id): def get_mail_content(mail_id, recipient_id):
# TODO: ensure only recipient can read mail
conn = get_db_connection() conn = get_db_connection()
c = conn.cursor() c = conn.cursor()
c.execute("SELECT sender_short_name, date, subject, content, unique_id FROM mail WHERE id = ?", (mail_id,)) c.execute("SELECT sender_short_name, date, subject, content, unique_id FROM mail WHERE id = ? and recipient = ?", (mail_id, recipient_id,))
return c.fetchone() return c.fetchone()
def delete_mail(unique_id, bbs_nodes, interface): def delete_mail(unique_id, recipient_id, bbs_nodes, interface):
logging.info(f"Attempting to delete mail with unique_id: {unique_id}") # TODO: ensure only recipient can delete mail
logging.info(f"Attempting to delete mail with unique_id: {unique_id} by {recipient_id}")
conn = get_db_connection() conn = get_db_connection()
c = conn.cursor() c = conn.cursor()
try: try:
c.execute("SELECT unique_id FROM mail WHERE unique_id = ?", (unique_id,)) c.execute("SELECT unique_id FROM mail WHERE unique_id = ? and recipient = ?", (unique_id, recipient_id,))
result = c.fetchone() result = c.fetchone()
logging.debug(f"Fetch result for unique_id {unique_id}: {result}") logging.debug(f"Fetch result for unique_id {unique_id}: {result}")
if result is None: if result is None:
logging.error(f"No mail found with unique_id: {unique_id}") logging.error(f"No mail found with unique_id: {unique_id}")
return # Early exit if no matching mail found return # Early exit if no matching mail found
c.execute("DELETE FROM mail WHERE unique_id = ?", (unique_id,)) c.execute("DELETE FROM mail WHERE unique_id = ? and recipient = ?", (unique_id, recipient_id,))
conn.commit() conn.commit()
send_delete_mail_to_bbs_nodes(unique_id, bbs_nodes, interface) send_delete_mail_to_bbs_nodes(unique_id, bbs_nodes, interface)
logging.info(f"Mail with unique_id: {unique_id} deleted and sync message sent.") logging.info(f"Mail with unique_id: {unique_id} deleted and sync message sent.")