joshuafhiggins/connect4-moderator-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 2 Activity

fix: proper winner username validation

Browse Source 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This commit is contained in:
Joshua Higgins
2026-03-06 00:42:47 -05:00
committed by GitHub
Unverified
parent a4e5e25f0c
commit da49712a79
1 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/server.rs
View File

@@ -835,11 +835,24 @@ impl Server {
drop(matches_guard); drop(matches_guard);
let the_match = found_match.read().await; let the_match = found_match.read().await;
if winner_username != the_match.player1.to_string()
&& winner_username != the_match.player2.to_string() // Validate that the declared winner is actually one of the players in this match
{ let clients_guard = self.clients.read().await;
let player1_client = clients_guard.get(&the_match.player1);
let player2_client = clients_guard.get(&the_match.player2);
// If we cannot resolve both players, or the winner username doesn't match either, reject
if let (Some(p1_arc), Some(p2_arc)) = (player1_client, player2_client) {
let p1 = p1_arc.read().await;
let p2 = p2_arc.read().await;
if winner_username != p1.username && winner_username != p2.username {
return Err(anyhow!("ERROR:INVALID:AWARD"));
}
} else {
return Err(anyhow!("ERROR:INVALID:AWARD")); return Err(anyhow!("ERROR:INVALID:AWARD"));
} }
drop(clients_guard);
self.matches.write().await.remove(&match_id); self.matches.write().await.remove(&match_id);