X-Git-Url: https://git.auder.net/?a=blobdiff_plain;f=server%2Fmodels%2FGame.js;h=21ece2f181a872434662dedce1fa4b878acab835;hb=fb68b0c2e3dae0be3e1f55b9516070c2731cf8d9;hp=ae91ac94954397ce67c608de8d7bcbc921b9d272;hpb=866842c3c310524c034922870234120ed2a16cbf;p=vchess.git

diff --git a/server/models/Game.js b/server/models/Game.js
index ae91ac94..21ece2f1 100644
--- a/server/models/Game.js
+++ b/server/models/Game.js
@@ -208,7 +208,7 @@ const GameModel =
   },
 
   // obj can have fields move, chat, fen, drawOffer and/or score + message
-  update: function(id, obj)
+  update: function(id, obj, cb)
   {
     db.parallelize(function() {
       let query =
@@ -235,14 +235,27 @@ const GameModel =
         query += modifs + " WHERE id = " + id;
         db.run(query);
       }
+      let wrongMoveIndex = false;
       if (obj.move)
       {
-        const m = obj.move;
+        // Security: only update moves if index is right
         query =
-          "INSERT INTO Moves (gid, squares, played, idx) VALUES " +
-          "(" + id + ",?," + m.played + "," + m.idx + ")";
-        db.run(query, JSON.stringify(m.squares));
+          "SELECT MAX(idx) AS maxIdx " +
+          "FROM Moves " +
+          "WHERE gid = " + id;
+        db.get(query, (err,ret) => {
+          const m = obj.move;
+          if (!ret.maxIdx || ret.maxIdx + 1 == m.idx) {
+            query =
+              "INSERT INTO Moves (gid, squares, played, idx) VALUES " +
+              "(" + id + ",?," + m.played + "," + m.idx + ")";
+            db.run(query, JSON.stringify(m.squares));
+            cb(null);
+          }
+          else cb({errmsg:"Wrong move index"});
+        });
       }
+      else cb(null);
       if (obj.chat)
       {
         query =