From 8e0d91dcf5828f42ff4951c50699d0564a64cd22 Mon Sep 17 00:00:00 2001 From: Cory McWilliams Date: Sat, 30 Nov 2024 16:58:48 -0500 Subject: [PATCH] security: Setting global settings requires approval. --- core/core.js | 1 + tools/autotest.py | 1 + 2 files changed, 2 insertions(+) diff --git a/core/core.js b/core/core.js index 29a208bfa..b3f9d49b1 100644 --- a/core/core.js +++ b/core/core.js @@ -419,6 +419,7 @@ async function getProcessBlob(blobId, key, options) { return settings?.[key]; }; imports.core.globalSettingsSet = async function (key, value) { + await imports.core.permissionTest('set_global_setting'); print('Setting', key, value); let settings = await loadSettings(); settings[key] = value; diff --git a/tools/autotest.py b/tools/autotest.py index 0d6740699..04f115421 100755 --- a/tools/autotest.py +++ b/tools/autotest.py @@ -78,6 +78,7 @@ try: driver.get('http://localhost:8888/~core/admin/') select(driver, ['#document', 'frame', '#gs_room_name'], ('send_keys', 'test room')) select(driver, ['#document', 'frame', '//*[@id="gs_room_name"]/following-sibling::button'], ('click',)) + select(driver, ['//button[text()="✅ Allow"]'], ('click',)) driver.switch_to.alert.accept() select(driver, ['tf-navigation', 'shadow_root', '#identity'], ('click',))