From ce6f00e8356fdaa025459828abcfc0e4152a90ae Mon Sep 17 00:00:00 2001
From: Namonay <thek7995@gmail.com>
Date: Tue, 7 May 2024 15:55:13 +0200
Subject: [PATCH] add: tictactoe: security fix

---
 .../static/js/api/game/tictactoe/TicTacToeGame.js   |  2 ++
 games/consumers.py                                  | 13 +++++++------
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/frontend/static/js/api/game/tictactoe/TicTacToeGame.js b/frontend/static/js/api/game/tictactoe/TicTacToeGame.js
index 643321a..26a405c 100644
--- a/frontend/static/js/api/game/tictactoe/TicTacToeGame.js
+++ b/frontend/static/js/api/game/tictactoe/TicTacToeGame.js
@@ -55,6 +55,7 @@ class TicTacToe
 
 			case 'game_move':
 				if (messageData.targetMorpion === undefined || messageData.targetCase === undefined)
+					return ;
 				this.map[messageData.targetMorpion][messageData.targetCase] = (this.sign == "x") ? 1 : 0;
 				this.printSign(messageData.targetMorpion, messageData.targetCase, (this.sign == "x") ? "o" : "x");
 				this.setOutline(this.currentMorpion, false);
@@ -154,6 +155,7 @@ class TicTacToe
 			return -1
 		}
 	}
+
 	onClick(event, morpion)
 	{
 		let x = event.offsetX;
diff --git a/games/consumers.py b/games/consumers.py
index bdfc0b3..b4a5e43 100644
--- a/games/consumers.py
+++ b/games/consumers.py
@@ -58,25 +58,26 @@ class TicTacToeWebSocket(WebsocketConsumer):
     def receive(self, text_data=None, bytes_data=None):
         data = json.loads(text_data)
 
-        if (data.get("targetMorpion") is not None and data.get("targetCase") is not None):
-            if (self.game.add(data, self.member) == False):
+        if (data.get("targetMorpion") is not None and data.get("targetCase") is not None): # A move has been played
+            if (self.game.add(data, self.member) == False): # If the move is invalid
                 return
+            self.game.broadcast("game_move", data, [self.member])
 
-        if (data.get("timerIsDue") is not None and self.game.time + 20 < time.time()):
+        if (data.get("timerIsDue") is not None and self.game.time + 20 < time.time()): # Frontend asking if the timer is due
             self.winner = 'x' if self.game.turn == 'o' else 'o'
             self.game.model.finish(self.user)
             self.game.broadcast("game_end", {"winning_sign": self.winner})
 
-        if (self.game.checkWin() != False):
+        if (self.game.checkWin() != False): # Check if after a move, the game is finished
             self.winner = self.game.checkWin()
             self.game.model.finish(self.user)
             self.game.broadcast("game_end", {"winning_sign": self.winner})
 
-        self.game.broadcast("game_move", data, [self.member])
 
     def disconnect(self, event):
         try:
-            self.member.socket = None
+            if (self.member is not None):
+                self.member.disconnect()
         except:
             pass