Commit b9afb7a5 authored by Pietro Albini's avatar Pietro Albini

Authenticate incoming callback queries

parent 8dd30d91
...@@ -56,7 +56,7 @@ def create_bot(token, db_path): ...@@ -56,7 +56,7 @@ def create_bot(token, db_path):
auth = AuthComponent(db) auth = AuthComponent(db)
settings = SettingsComponent(db, buffer) settings = SettingsComponent(db, buffer)
post = PostComponent(db, buffer) post = PostComponent(db, buffer, auth)
bot.use(auth) bot.use(auth)
bot.use(settings) bot.use(settings)
......
...@@ -43,9 +43,10 @@ def inline_keyboard(buttons): ...@@ -43,9 +43,10 @@ def inline_keyboard(buttons):
class PostComponent(botogram.Component): class PostComponent(botogram.Component):
component_name = "post" component_name = "post"
def __init__(self, db, buffer): def __init__(self, db, buffer, auth):
self.db = db self.db = db
self.buffer = buffer self.buffer = buffer
self.auth = auth
self.add_timer(2 * 60, self.cleanup) self.add_timer(2 * 60, self.cleanup)
self.add_timer(5 * 60, self.post_to_telegram) self.add_timer(5 * 60, self.post_to_telegram)
...@@ -161,6 +162,9 @@ class PostComponent(botogram.Component): ...@@ -161,6 +162,9 @@ class PostComponent(botogram.Component):
query = update.callback_query query = update.callback_query
action, data = query.data.split(":", 1) action, data = query.data.split(":", 1)
# Authenticate the request
self.auth.check(query.message.chat)
if action == "now": if action == "now":
if query.sender not in query.message.chat.admins: if query.sender not in query.message.chat.admins:
bot.api.call("answerCallbackQuery", { bot.api.call("answerCallbackQuery", {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment