Plugin websocket communication security
Solved
Plugin Development
-
So I'm currently trying to figure out the plugin development with NodeBB. I think I finally found out how the whole communication between a page in the ACP and the plugin works. But I'm now facing a security concern that I'm unclear how to solve.
Actually the problem is twofold:
- If I expose functions in the plugin, what is the best way to make sure that only administrators can call them? Looking at other plugins like the Shoutbox plugin, they add their plugin functions to the
admin
object. Thus resulting in calls toadmin.plugins.my-great-plugin.my-great-function
. This way they use thebefore
function in theadmin
object that makes sure that only an administrator can call the function. Is this the preferred way to do it? Or should I stay out of this namespace? - If I send events to the client, how can I make sure those are only received by an administrator? As far as I could tell everyone that is logged in can join the
admin
room. Thus if my plugin sends events to theadmin
room everyone can receive them. Just open your web console and type inapp.enterRoom('admin')
and you receive all those events. What can I do to prevent this?
- If I expose functions in the plugin, what is the best way to make sure that only administrators can call them? Looking at other plugins like the Shoutbox plugin, they add their plugin functions to the
-
Thank you for the answer.
Regarding the second point: But thus the message would only be received by one user. So if there is only one administrator this wouldn't be a problem. But if there are multiple administrators?
To be honest I don't have a use case for this. Putting it in the
uid_<uid_of_user>
room would be enough for me. So the question is just out of curiousness. -
Copyright © 2025 NodeBB | Contributors