bigbluebutton-Github/bigbluebutton-html5/app/server/user_permissions.coffee


moderator = null
presenter = null
viewer =
  # raising/lowering hand
  raiseOwnHand : true
  lowerOwnHand : true

  # muting
  muteSelf : true
  unmuteSelf : true

  logoutSelf : true

  #subscribing
  subscribeUsers: true
  subscribeChat: true

  #chat
  chatPublic: true #should make this dynamically modifiable later on
  chatPrivate: true #should make this dynamically modifiable later on

@isAllowedTo = (action, meetingId, userId, authToken) ->
  # Disclaimer:the current version of the HTML5 client represents only VIEWER users

  validated = Meteor.Users.findOne({meetingId:meetingId, userId: userId})?.validated
  Meteor.log.info "in isAllowedTo: action-#{action}, userId=#{userId}, authToken=#{authToken} validated:#{validated}"

  user = Meteor.Users.findOne({meetingId:meetingId, userId: userId})

  if user? and authToken is user.authToken # check if the user is who he claims to be
    if user.validated and user.clientType is "HTML5"
      if user.user?.role is 'VIEWER' or user.user?.role is undefined
        return viewer[action] or false
      else
        Meteor.log.warn "UNSUCCESSFULL ATTEMPT FROM userid=#{userId} to perform:#{action}"
        return false
    else
      # user was not validated
      if action is "logoutSelf"
        # on unsuccessful sign-in
        Meteor.log.warn "a user was successfully removed from the meeting following an unsuccessful login"
        return true
      return false

  else
    Meteor.log.error "in meetingId=#{meetingId} userId=#{userId} tried to perform #{action} without permission" +
     "\n..while the authToken was #{user.authToken}    and the user's object is #{JSON.stringify user}"
    return false
using roles and predefined permissions per role for raising/lowering hand 2014-11-15 00:00:55 +08:00
			`moderator = null`
			`presenter = null`
			`viewer =`
			`# raising/lowering hand`
			`raiseOwnHand : true`
			`lowerOwnHand : true`

reworked [un]muting user so it uses userId and userSecret 2014-11-19 03:35:51 +08:00			`# muting`
			`muteSelf : true`
			`unmuteSelf : true`

reworked userLogout, added secret 2014-11-19 06:03:13 +08:00			`logoutSelf : true`

use authToken for subscribing 2014-11-21 07:35:30 +08:00			`#subscribing`
			`subscribeUsers: true`
			`subscribeChat: true`

chat with authToken+userid instead of userSecret+dbid 2014-11-27 06:49:21 +08:00			`#chat`
			`chatPublic: true #should make this dynamically modifiable later on`
			`chatPrivate: true #should make this dynamically modifiable later on`

authToken instead of userSecret 2014-11-22 01:45:44 +08:00			`@isAllowedTo = (action, meetingId, userId, authToken) ->`
rearranged the permissions so that even unvalidated users should be allowed to logoutSelf as long as authenticated Conflicts: labs/meteor-client/app/lib/router.coffee 2015-02-14 08:14:49 +08:00			`# Disclaimer:the current version of the HTML5 client represents only VIEWER users`

add a flag for HTML5 users. add a flag for html5 users that validated successfully. Use these flags for action authorization. From now onwards we only allow users that got validate_auth_token_reply with true to proceed and enter a meeting. No restriction for the flash client users. Dummy users are now added only for html5 users when requesting validation from BBB 2015-02-07 01:21:31 +08:00			`validated = Meteor.Users.findOne({meetingId:meetingId, userId: userId})?.validated`
			`Meteor.log.info "in isAllowedTo: action-#{action}, userId=#{userId}, authToken=#{authToken} validated:#{validated}"`
using roles and predefined permissions per role for raising/lowering hand 2014-11-15 00:00:55 +08:00
			`user = Meteor.Users.findOne({meetingId:meetingId, userId: userId})`
rearranged the permissions so that even unvalidated users should be allowed to logoutSelf as long as authenticated Conflicts: labs/meteor-client/app/lib/router.coffee 2015-02-14 08:14:49 +08:00
			`if user? and authToken is user.authToken # check if the user is who he claims to be`
			`if user.validated and user.clientType is "HTML5"`
in a race condition the user did not have a user.role 2014-12-10 06:10:06 +08:00			`if user.user?.role is 'VIEWER' or user.user?.role is undefined`
using roles and predefined permissions per role for raising/lowering hand 2014-11-15 00:00:55 +08:00			`return viewer[action] or false`
rearranged the permissions so that even unvalidated users should be allowed to logoutSelf as long as authenticated Conflicts: labs/meteor-client/app/lib/router.coffee 2015-02-14 08:14:49 +08:00			`else`
			`Meteor.log.warn "UNSUCCESSFULL ATTEMPT FROM userid=#{userId} to perform:#{action}"`
			`return false`
			`else`
			`# user was not validated`
			`if action is "logoutSelf"`
			`# on unsuccessful sign-in`
			`Meteor.log.warn "a user was successfully removed from the meeting following an unsuccessful login"`
			`return true`
			`return false`
using roles and predefined permissions per role for raising/lowering hand 2014-11-15 00:00:55 +08:00
add a flag for HTML5 users. add a flag for html5 users that validated successfully. Use these flags for action authorization. From now onwards we only allow users that got validate_auth_token_reply with true to proceed and enter a meeting. No restriction for the flash client users. Dummy users are now added only for html5 users when requesting validation from BBB 2015-02-07 01:21:31 +08:00			`else`
rearranged the permissions so that even unvalidated users should be allowed to logoutSelf as long as authenticated Conflicts: labs/meteor-client/app/lib/router.coffee 2015-02-14 08:14:49 +08:00			`Meteor.log.error "in meetingId=#{meetingId} userId=#{userId} tried to perform #{action} without permission" +`
			`"\n..while the authToken was #{user.authToken} and the user's object is #{JSON.stringify user}"`
			`return false`