chat idor bug fix (#692)

tanfarming · web-flow · commit 4c808bca9ea9 · 2023-03-08T14:24:37.000-05:00
deliberately dropping the string session_id key to prevent idor hack in chat
diff --git a/lib/ret_web/channels/hub_channel.ex b/lib/ret_web/channels/hub_channel.ex
@@ -301,7 +301,10 @@ defmodule RetWeb.HubChannel do
       broadcast!(
         socket,
         event,
-        payload |> Map.put(:session_id, socket.assigns.session_id) |> payload_with_from(socket)
+        payload
+        |> Map.delete("session_id")
+        |> Map.put(:session_id, socket.assigns.session_id)
+        |> payload_with_from(socket)
       )
     end
 
