Commit Graph

5 Commits

Author SHA1 Message Date
Steve Howell 50362a8c39 poll widget: Check types for inbound events. 2021-06-14 17:46:16 -07:00
Steve Howell 99cdfbcbe5 widgets: Clean up index handling.
We only need to bump up indexes if inbound
events suggest that we have incremented our
personal index from another device.

We don't want somebody else's runaway index
to affect our index.

(For both widgets the sender_id is part of
the key, so uniqueness across all senders is
not required for the integer part.)
2021-06-14 17:46:16 -07:00
Steve Howell 91b8049ecf minor: Add permission-related comments to widgets. 2021-06-14 17:46:16 -07:00
Steve Howell 5f73164210 poll widget: Prevent question updates from non-authors.
We now ignore question edits if the sender of the submessage
is not the message author.

The webapp UI prevents folks from editing the question for
somebody else's poll, but a determined person could use our
low level API to do it.  We will add safeguards on the server
side for this, but this change is sufficient to protect the
webapp (and mobile when they upgrade the library).
2021-06-14 17:46:16 -07:00
Wesley Aptekar-Cassels da0c616b69 shared: Move PollData into shared. 2021-04-19 06:34:08 -04:00