mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-12-24 22:25:52 -05:00
Guest sharing security improvements.
This commit is contained in:
parent
2ca10b3e58
commit
529fa04094
@ -1670,16 +1670,16 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
|
||||
break;
|
||||
}
|
||||
case 'guestShare': {
|
||||
if ((domain.agentselfguestsharing !== true) || (typeof command.flags != 'number')) return; // Check if agent self-sharing is allowed, this is off by default.
|
||||
if (command.flags == 0) {
|
||||
// Stop any current self-share
|
||||
if ((command.flags == null) || (command.flags == 0)) {
|
||||
// Stop any current self-share, this is allowed even if self guest sharing is not allows so to clear any old shares.
|
||||
removeGuestSharing(function () {
|
||||
delete obj.guestSharing;
|
||||
obj.send(JSON.stringify({ action: 'guestShare', flags: command.flags, url: null, viewOnly: false }));
|
||||
});
|
||||
} else {
|
||||
// Add a new self-share, this will replace any share for this device
|
||||
if ((command.flags & 1) == 0) { command.viewOnly = false; } // Only allow "view only" if desktop is shared.
|
||||
if ((domain.agentselfguestsharing !== true) || (typeof command.flags != 'number')) return; // Check if agent self-sharing is allowed, this is off by default.
|
||||
if ((command.flags & 2) == 0) { command.viewOnly = false; } // Only allow "view only" if desktop is shared.
|
||||
addGuestSharing(command.flags, command.viewOnly, function (share) {
|
||||
obj.guestSharing = true;
|
||||
obj.send(JSON.stringify({ action: 'guestShare', url: share.url, flags: share.flags, viewOnly: share.viewOnly }));
|
||||
|
@ -402,6 +402,12 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
else if (event == 'resubscribe') { user.subscriptions = parent.subscribe(user._id, ws); }
|
||||
else if (event == 'updatefiles') { updateUserFiles(user, ws, domain); }
|
||||
else {
|
||||
// If updating guest device shares, if we are updating a user that is not creator of the share, remove the URL.
|
||||
if (event.action == 'deviceShareUpdate') {
|
||||
event = common.Clone(event);
|
||||
for (var i in event.deviceShares) { if (event.deviceShares[i].userid != user._id) { delete event.deviceShares[i].url; } }
|
||||
}
|
||||
|
||||
// Because of the device group "Show Self Events Only", we need to do more checks here.
|
||||
if (id.startsWith('mesh/')) {
|
||||
// Check if we have rights to get this message. If we have limited events on this mesh, don't send the event to the user.
|
||||
@ -430,7 +436,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
ws.send(JSON.stringify({ action: 'event', event: event }));
|
||||
}
|
||||
}
|
||||
} catch (e) { }
|
||||
} catch (ex) { console.log(ex); }
|
||||
}
|
||||
};
|
||||
|
||||
@ -4613,6 +4619,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
} else {
|
||||
// This share is ok, remove extra data we don't need to send.
|
||||
delete doc._id; delete doc.domain; delete doc.nodeid; delete doc.type;
|
||||
if (doc.userid != user._id) { delete doc.url; } // If this is not the user who created this link, don't give the link.
|
||||
okDocs.push(doc);
|
||||
}
|
||||
}
|
||||
|
@ -7096,19 +7096,22 @@
|
||||
x += '<br /><table style="color:black;background-color:#EEE;border-color:#AAA;border-width:1px;border-style:solid;border-collapse:collapse" border=0 cellpadding=2 cellspacing=0 width=100%><tbody><tr style=background-color:#AAAAAA;font-weight:bold><th scope=col style=text-align:left;width:430px>' + "Active Device Sharing" + '</th><th scope=col style=text-align:left></th></tr>';
|
||||
count = 1;
|
||||
for (var i = 0; i < deviceShares.length; i++) {
|
||||
var dshare = deviceShares[i];
|
||||
var trash = '<a href="' + dshare.url + '" rel="noreferrer noopener" target=_blank title="' + "Device Sharing Link" + '" style=cursor:pointer><img src=images/link2.png border=0 height=10 width=10></a> <a href=# onclick=\'return p30removeDeviceSharing(event,"' + encodeURIComponentEx(currentNode._id) + '","' + encodeURIComponentEx(dshare.publicid) + '","' + encodeURIComponentEx(dshare.guestName) + '")\' title="' + "Remove device sharing" + '" style=cursor:pointer><img src=images/trash.png border=0 height=10 width=10></a>';
|
||||
var dshare = deviceShares[i], trash = '';
|
||||
if (dshare.url != null) { trash += '<a href="' + dshare.url + '" rel="noreferrer noopener" target=_blank title="' + "Device Sharing Link" + '" style=cursor:pointer><img src=images/link2.png border=0 height=10 width=10></a> '; }
|
||||
trash += '<a href=# onclick=\'return p30removeDeviceSharing(event,"' + encodeURIComponentEx(currentNode._id) + '","' + encodeURIComponentEx(dshare.publicid) + '","' + encodeURIComponentEx(dshare.guestName) + '")\' title="' + "Remove device sharing" + '" style=cursor:pointer><img src=images/trash.png border=0 height=10 width=10></a>';
|
||||
var type = ['', "Terminal", "Desktop", "Desktop + Terminal", "Files", "Terminal + Files", "Desktop + Files", "Desktop + Terminal + Files"][dshare.p];
|
||||
var details = type;
|
||||
if ((dshare.startTime != null) && (dshare.expireTime != null)) { details = format("{0}, {1} to {2}", type, printFlexDateTime(new Date(dshare.startTime)), printFlexDateTime(new Date(dshare.expireTime))); }
|
||||
if (dshare.viewOnly === true) { details += ", View only"; }
|
||||
if (((dshare.p & 2) != 0) && (dshare.viewOnly === true)) { details += ", View only desktop"; }
|
||||
if (dshare.consent != null) {
|
||||
if (dshare.consent == 0) { details += ", No Consent"; } else {
|
||||
if ((dshare.consent & 0x0038) != 0) { details += ", Prompt for consent"; }
|
||||
if ((dshare.consent & 0x0040) != 0) { details += ", Toolbar"; }
|
||||
}
|
||||
}
|
||||
x += '<tr ' + (((++count % 2) == 0) ? 'style=background-color:#DDD' : '') + '><td style=width:30%><div class=m' + 2 + '></div><div> ' + dshare.guestName + '<div></div></div></td><td style=width:70%><div style=float:right>' + trash + '</div><div>' + details + '</div></td></tr>';
|
||||
var guestName = EscapeHtml(dshare.guestName);
|
||||
if (dshare.publicid.startsWith('AS:node/')) { guestName = '<i>' + "Agent Self-Share" + '</i>'; }
|
||||
x += '<tr ' + (((++count % 2) == 0) ? 'style=background-color:#DDD' : '') + '><td style=width:30%><div class=m' + 2 + '></div><div> ' + guestName + '<div></div></div></td><td style=width:70%><div style=float:right>' + trash + '</div><div>' + details + '</div></td></tr>';
|
||||
}
|
||||
x += '</tbody></table>';
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user