Commit 15477c18 authored by Idir Lankri's avatar Idir Lankri

Fix a critical vulnerability of the corpus manager

When the platform is installed in server mode, if the user edit the URL
in his browser's address bar, he can get writing permissions on the
corpus stored on the server.
parent 0dd5926e
......@@ -266,12 +266,19 @@ module Make (Loc : Location) : S = struct
| Manager -> "manager"
]
;
value permission_of_string = fun
[ "annotator" -> Annotator
| "manager" -> Manager
| _ -> Reader
value restrict_permission perm =
match Html.target with
[ Html.Server -> Reader
| Html.Simputer | Html.Computer | Html.Station -> perm
]
;
value permission_of_string s = s |> to_perm |> restrict_permission
where to_perm = fun
[ "annotator" -> Annotator
| "manager" -> Manager
| _ -> Reader
]
;
value url dir permission sentence =
let analysis = Sentence.analysis sentence in
let env =
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment