Authenticate incoming callback queries

b9afb7a5 · Pietro Albini · 8dd30d91 · b9afb7a5 · b9afb7a5
Commit b9afb7a5 authored Jun 06, 2017 by Pietro Albini
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

uitsmmbot/bot.py uitsmmbot/bot.py +1 -1

uitsmmbot/post.py uitsmmbot/post.py +5 -1

No files found.
--- a/uitsmmbot/bot.py
+++ b/uitsmmbot/bot.py
@@ -56,7 +56,7 @@ def create_bot(token, db_path):

    auth = AuthComponent(db)
    settings = SettingsComponent(db, buffer)
-    post = PostComponent(db, buffer)
+    post = PostComponent(db, buffer, auth)

    bot.use(auth)
    bot.use(settings)

--- a/uitsmmbot/post.py
+++ b/uitsmmbot/post.py
@@ -43,9 +43,10 @@ def inline_keyboard(buttons):
 class PostComponent(botogram.Component):
    component_name = "post"

-    def __init__(self, db, buffer):
+    def __init__(self, db, buffer, auth):
        self.db = db
        self.buffer = buffer
+        self.auth = auth

        self.add_timer(2 * 60, self.cleanup)
        self.add_timer(5 * 60, self.post_to_telegram)
@@ -161,6 +162,9 @@ class PostComponent(botogram.Component):
        query = update.callback_query
        action, data = query.data.split(":", 1)

+        # Authenticate the request
+        self.auth.check(query.message.chat)
+
        if action == "now":
            if query.sender not in query.message.chat.admins:
                bot.api.call("answerCallbackQuery", {