Fixes timed caches.

Allowing a refresh of the timer opened the door to exploits.
author: Nathanael Sensfelder <SpamShield0@MultiAgentSystems.org> 2017-11-28 22:19:38 +0100
committer: Nathanael Sensfelder <SpamShield0@MultiAgentSystems.org> 2017-11-28 22:19:38 +0100
commit: 02da4adf9ae6b477376bb27a092feec06a3f2b91 (patch)
tree: c679a019547f69f0593f2563373a373ce12f1d82 /src/query/load_state.erl
parent: 2273ff20faa24a0daba4e4b43ace250716a39172 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/src/query/load_state.erl b/src/query/load_state.erl
index 1ffbbf8..9c28d2f 100644
--- a/src/query/load_state.erl
+++ b/src/query/load_state.erl
@@ -26,10 +26,12 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 parse_input (Req) ->
    JSONReqMap = jiffy:decode(Req, [return_maps]),
+   PlayerID = maps:get(<<"player_id">>, JSONReqMap),
+   SessionToken =  maps:get(<<"session_token">>, JSONReqMap),
+   database_shim:assert_session_is_valid(PlayerID, SessionToken),
    #input
    {
-      session_token = maps:get(<<"session_token">>, JSONReqMap),
-      player_id = maps:get(<<"player_id">>, JSONReqMap),
+      player_id = PlayerID,
       battlemap_id = maps:get(<<"battlemap_id">>, JSONReqMap),
       instance_id = maps:get(<<"instance_id">>, JSONReqMap)
    }.
author	Nathanael Sensfelder <SpamShield0@MultiAgentSystems.org>	2017-11-28 22:19:38 +0100
committer	Nathanael Sensfelder <SpamShield0@MultiAgentSystems.org>	2017-11-28 22:19:38 +0100
commit	02da4adf9ae6b477376bb27a092feec06a3f2b91 (patch)
tree	c679a019547f69f0593f2563373a373ce12f1d82 /src/query/load_state.erl
parent	2273ff20faa24a0daba4e4b43ace250716a39172 (diff)