From e4717e0d89ab7d54d6a87010da486c51e8e28327 Mon Sep 17 00:00:00 2001 From: Ulf Gebhardt Date: Sat, 27 Sep 2025 14:37:12 +0200 Subject: [PATCH] fix(backend): fix potential leak in updateOnlineStatus (#8923) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Wolfgang Huß --- backend/src/graphql/resolvers/users.ts | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/backend/src/graphql/resolvers/users.ts b/backend/src/graphql/resolvers/users.ts index 6720ec0fb..f37c21619 100644 --- a/backend/src/graphql/resolvers/users.ts +++ b/backend/src/graphql/resolvers/users.ts @@ -353,14 +353,11 @@ export default { session.close() } }, - updateOnlineStatus: async (_object, args, context, _resolveInfo) => { + updateOnlineStatus: async (_object, args, context: Context, _resolveInfo) => { const { status } = args - const { - user: { id }, - } = context const CYPHER_AWAY = ` - MATCH (user:User {id: $id}) + MATCH (user:User {id: $user.id}) WITH user, CASE user.lastOnlineStatus WHEN 'away' THEN user.awaySince @@ -370,16 +367,14 @@ export default { SET user.lastOnlineStatus = $status ` const CYPHER_ONLINE = ` - MATCH (user:User {id: $id}) + MATCH (user:User {id: $user.id}) SET user.awaySince = null SET user.lastOnlineStatus = $status ` - // Last Online Time is saved as `lastActiveAt` - const session = context.driver.session() - await session.writeTransaction((transaction) => { - // return transaction.run(status === 'away' ? CYPHER_AWAY : CYPHER_ONLINE, { id, status }) - return transaction.run(status === 'away' ? CYPHER_AWAY : CYPHER_ONLINE, { id, status }) + await context.database.write({ + query: status === 'away' ? CYPHER_AWAY : CYPHER_ONLINE, + variables: { user: context.user, status }, }) return true