bigbluebutton-Github/bigbluebutton-html5/imports/startup/server/userPermissions.js

import Users from '/imports/api/2.0/users';
import Meetings from '/imports/api/1.1/meetings';
import { logger } from '/imports/startup/server/logger';

const presenter = {
  switchSlide: true,

  // poll
  subscribePoll: true,
  subscribeAnswers: true,

};

// holds the values for whether the moderator user is allowed to perform an action (true)
// or false if not allowed. Some actions have dynamic values depending on the current lock settings
const moderator = {
  // audio listen only
  joinListenOnly: true,
  leaveListenOnly: true,

  // join audio with mic cannot be controlled on the server side as it is
  // a client side only functionality

  // raising/lowering hand
  raiseOwnHand: true,
  lowerOwnHand: true,

  // muting
  muteSelf: true,
  unmuteSelf: true,
  muteOther: true,
  unmuteOther: true,

  logoutSelf: true,

  // subscribing
  subscribeUsers: true,
  subscribeChat: true,

  // chat
  chatPublic: true,
  chatPrivate: true,

  // poll
  subscribePoll: true,
  subscribeAnswers: false,

  // emojis
  setEmojiStatus: true,
  clearEmojiStatus: true,

  // user control
  kickUser: true,
  setPresenter: true,

  // captions
  subscribeCaptions: true,
};

// holds the values for whether the viewer user is allowed to perform an action (true)
// or false if not allowed. Some actions have dynamic values depending on the current lock settings
const viewer = function (meetingId, userId) {
  let meeting;
  let user;

  return {

    // listen only
    joinListenOnly: true,
    leaveListenOnly: true,

    // join audio with mic cannot be controlled on the server side as it is
    // a client side only functionality

    // raising/lowering hand
    raiseOwnHand: true,
    lowerOwnHand: true,

    // muting
    muteSelf: true,
    unmuteSelf:
      !((meeting = Meetings.findOne({ meetingId })) != null &&
        meeting.roomLockSettings.disableMic) ||
      !((user = Users.findOne({ meetingId, userId })) != null &&
        user.user.locked),

    logoutSelf: true,

    // subscribing
    subscribeUsers: true,
    subscribeChat: true,

    // chat
    chatPublic: !((meeting = Meetings.findOne({ meetingId })) != null &&
      meeting.roomLockSettings.disablePublicChat) ||
      !((user = Users.findOne({ meetingId, userId })) != null &&
      user.user.locked) ||
      (user != null && user.user.presenter),

    chatPrivate: !((meeting = Meetings.findOne({ meetingId })) != null &&
      meeting.roomLockSettings.disablePrivateChat) ||
      !((user = Users.findOne({ meetingId, userId })) != null &&
      user.user.locked) ||
      (user != null && user.user.presenter),

    // poll
    subscribePoll: true,
    subscribeAnswers: false,

    // emojis
    setEmojiStatus: true,
    clearEmojiStatus: true,

    // captions
    subscribeCaptions: true,
  };
};

// carries out the decision making for actions affecting users. For the list of
// actions and the default value - see 'viewer' and 'moderator' in the beginning of the file
export function isAllowedTo(action, credentials) {
  const meetingId = credentials.meetingId;
  const userId = credentials.requesterUserId;
  const authToken = credentials.requesterToken;

  const user = Users.findOne({
    meetingId,
    userId,
  });

  const allowedToInitiateRequest = user &&
    user.authToken === authToken &&
    user.validated &&
    user.clientType === 'HTML5' &&
    user.user &&
    user.user.connection_status === 'online';

  const listOfSafeActions = ['logoutSelf'];

  const requestIsSafe = listOfSafeActions.includes(action);

  if (requestIsSafe) {
    logger.info(`permissions: requestIsSafe for ${action} by userId=${userId} allowed`);
    return true;
  }

  if (allowedToInitiateRequest) {
    let result = false;

    // check role specific actions
    if (user.user.role === 'MODERATOR') {
      logger.debug('user permissions moderator case');
      result = result || moderator[action];
    } else if (user.user.role === 'VIEWER') {
      logger.debug('user permissions viewer case');
      result = result || viewer(meetingId, userId)[action];
    }

    // check presenter actions
    if (user.user.presenter) {
      logger.debug('user permissions presenter case');
      result = result || presenter[action];
    }

    logger.debug(`attempt from userId=${userId} to perform:${action}, allowed=${result}`);

    return result;
  }
  logger.error(`FAILED due to permissions:${action} ${JSON.stringify(credentials)}`);
  return false;
}
we do not have 1.0 user messages coming from bbb so use 2.0 only 2017-06-28 06:14:53 +08:00			`import Users from '/imports/api/2.0/users';`
Move api to api/1.1 2017-06-19 19:57:32 +08:00			`import Meetings from '/imports/api/1.1/meetings';`
move files to imports 2016-05-05 02:29:43 +08:00			`import { logger } from '/imports/startup/server/logger';`
move collections out of Meteor 2016-04-29 05:10:43 +08:00
avoid race cond when subscribing for data 2016-05-13 22:34:29 +08:00			`const presenter = {`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`switchSlide: true,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
Linter auto fix 2017-06-03 03:25:02 +08:00			`// poll`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`subscribePoll: true,`
Autofixed most of the linter warnings related to the Airbnb JavaScript Style Guide. Conflicts: bigbluebutton-html5/client/globals.js bigbluebutton-html5/client/views/whiteboard/whiteboard.js bigbluebutton-html5/server/collection_methods/users.js bigbluebutton-html5/server/server.js 2016-03-14 09:46:29 +08:00			`subscribeAnswers: true,`
Fix assignPresenter method 2017-02-22 21:42:42 +08:00
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`};`

Got all the single-line comments back. 2016-01-15 13:46:41 +08:00			`// holds the values for whether the moderator user is allowed to perform an action (true)`
			`// or false if not allowed. Some actions have dynamic values depending on the current lock settings`
avoid race cond when subscribing for data 2016-05-13 22:34:29 +08:00			`const moderator = {`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00			`// audio listen only`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`joinListenOnly: true,`
			`leaveListenOnly: true,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
			`// join audio with mic cannot be controlled on the server side as it is`
			`// a client side only functionality`

			`// raising/lowering hand`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`raiseOwnHand: true,`
			`lowerOwnHand: true,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
			`// muting`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`muteSelf: true,`
			`unmuteSelf: true,`
allow for mute/unmute by moderator 2017-02-02 03:14:32 +08:00			`muteOther: true,`
			`unmuteOther: true,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`logoutSelf: true,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
Linter auto fix 2017-06-03 03:25:02 +08:00			`// subscribing`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`subscribeUsers: true,`
			`subscribeChat: true,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
Linter auto fix 2017-06-03 03:25:02 +08:00			`// chat`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`chatPublic: true,`
			`chatPrivate: true,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
Linter auto fix 2017-06-03 03:25:02 +08:00			`// poll`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`subscribePoll: true,`
			`subscribeAnswers: false,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
Linter auto fix 2017-06-03 03:25:02 +08:00			`// emojis`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`setEmojiStatus: true,`
			`clearEmojiStatus: true,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
Linter auto fix 2017-06-03 03:25:02 +08:00			`// user control`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`kickUser: true,`
Autofixed most of the linter warnings related to the Airbnb JavaScript Style Guide. Conflicts: bigbluebutton-html5/client/globals.js bigbluebutton-html5/client/views/whiteboard/whiteboard.js bigbluebutton-html5/server/collection_methods/users.js bigbluebutton-html5/server/server.js 2016-03-14 09:46:29 +08:00			`setPresenter: true,`
adding captions support in html5 (part1) 2016-06-14 01:09:40 +08:00
Linter auto fix 2017-06-03 03:25:02 +08:00			`// captions`
adding captions support in html5 (part1) 2016-06-14 01:09:40 +08:00			`subscribeCaptions: true,`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`};`

Got all the single-line comments back. 2016-01-15 13:46:41 +08:00			`// holds the values for whether the viewer user is allowed to perform an action (true)`
			`// or false if not allowed. Some actions have dynamic values depending on the current lock settings`
avoid race cond when subscribing for data 2016-05-13 22:34:29 +08:00			`const viewer = function (meetingId, userId) {`
Fixed all the 120+ linter warnings 2016-06-28 02:24:37 +08:00			`let meeting;`
			`let user;`

Moved to ES2015. 2016-01-13 04:15:16 +08:00			`return {`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
			`// listen only`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`joinListenOnly: true,`
			`leaveListenOnly: true,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
			`// join audio with mic cannot be controlled on the server side as it is`
			`// a client side only functionality`

			`// raising/lowering hand`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`raiseOwnHand: true,`
			`lowerOwnHand: true,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
			`// muting`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`muteSelf: true,`
Fixed all the 120+ linter warnings 2016-06-28 02:24:37 +08:00			`unmuteSelf:`
clean up 2017-02-02 03:27:25 +08:00			`!((meeting = Meetings.findOne({ meetingId })) != null &&`
Fixed all the 120+ linter warnings 2016-06-28 02:24:37 +08:00			`meeting.roomLockSettings.disableMic) \|\|`
clean up 2017-02-02 03:27:25 +08:00			`!((user = Users.findOne({ meetingId, userId })) != null &&`
Fixed all the 120+ linter warnings 2016-06-28 02:24:37 +08:00			`user.user.locked),`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`logoutSelf: true,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
Linter auto fix 2017-06-03 03:25:02 +08:00			`// subscribing`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`subscribeUsers: true,`
			`subscribeChat: true,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
Linter auto fix 2017-06-03 03:25:02 +08:00			`// chat`
clean up 2017-02-02 03:27:25 +08:00			`chatPublic: !((meeting = Meetings.findOne({ meetingId })) != null &&`
Fixed all the 120+ linter warnings 2016-06-28 02:24:37 +08:00			`meeting.roomLockSettings.disablePublicChat) \|\|`
clean up 2017-02-02 03:27:25 +08:00			`!((user = Users.findOne({ meetingId, userId })) != null &&`
Fixed all the 120+ linter warnings 2016-06-28 02:24:37 +08:00			`user.user.locked) \|\|`
			`(user != null && user.user.presenter),`

clean up 2017-02-02 03:27:25 +08:00			`chatPrivate: !((meeting = Meetings.findOne({ meetingId })) != null &&`
Fixed all the 120+ linter warnings 2016-06-28 02:24:37 +08:00			`meeting.roomLockSettings.disablePrivateChat) \|\|`
clean up 2017-02-02 03:27:25 +08:00			`!((user = Users.findOne({ meetingId, userId })) != null &&`
Fixed all the 120+ linter warnings 2016-06-28 02:24:37 +08:00			`user.user.locked) \|\|`
			`(user != null && user.user.presenter),`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
Linter auto fix 2017-06-03 03:25:02 +08:00			`// poll`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`subscribePoll: true,`
			`subscribeAnswers: false,`
Got all the single-line comments back. 2016-01-15 13:46:41 +08:00
Linter auto fix 2017-06-03 03:25:02 +08:00			`// emojis`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`setEmojiStatus: true,`
Autofixed most of the linter warnings related to the Airbnb JavaScript Style Guide. Conflicts: bigbluebutton-html5/client/globals.js bigbluebutton-html5/client/views/whiteboard/whiteboard.js bigbluebutton-html5/server/collection_methods/users.js bigbluebutton-html5/server/server.js 2016-03-14 09:46:29 +08:00			`clearEmojiStatus: true,`
adding captions support in html5 (part1) 2016-06-14 01:09:40 +08:00
Linter auto fix 2017-06-03 03:25:02 +08:00			`// captions`
adding captions support in html5 (part1) 2016-06-14 01:09:40 +08:00			`subscribeCaptions: true,`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`};`
			`};`

Got all the single-line comments back. 2016-01-15 13:46:41 +08:00			`// carries out the decision making for actions affecting users. For the list of`
			`// actions and the default value - see 'viewer' and 'moderator' in the beginning of the file`
Changes credential passing to 1 object 2016-05-17 02:12:27 +08:00			`export function isAllowedTo(action, credentials) {`
			`const meetingId = credentials.meetingId;`
			`const userId = credentials.requesterUserId;`
			`const authToken = credentials.requesterToken;`

rework userPermissions to allow mixture of role/status based actions 2017-02-03 00:41:48 +08:00			`const user = Users.findOne({`
clean up 2017-02-02 03:27:25 +08:00			`meetingId,`
			`userId,`
Reworked ES6 on the server side 2016-01-30 09:33:40 +08:00			`});`
clean up 2017-02-02 03:27:25 +08:00
fix merge conflicts 2017-05-17 23:54:48 +08:00			`const allowedToInitiateRequest = user &&`
auto allow benign actions 2017-05-12 03:15:12 +08:00			`user.authToken === authToken &&`
rework userPermissions to allow mixture of role/status based actions 2017-02-03 00:41:48 +08:00			`user.validated &&`
Fix client lint issues except those which are comment related 2017-05-16 23:37:17 +08:00			`user.clientType === 'HTML5' &&`
auto allow benign actions 2017-05-12 03:15:12 +08:00			`user.user &&`
			`user.user.connection_status === 'online';`

remove new operator 2017-05-19 22:25:24 +08:00			`const listOfSafeActions = ['logoutSelf'];`
auto allow benign actions 2017-05-12 03:15:12 +08:00
			`const requestIsSafe = listOfSafeActions.includes(action);`

			`if (requestIsSafe) {`
			logger.info(`permissions: requestIsSafe for ${action} by userId=${userId} allowed`);
			`return true;`
			`}`
rework userPermissions to allow mixture of role/status based actions 2017-02-03 00:41:48 +08:00
			`if (allowedToInitiateRequest) {`
			`let result = false;`

			`// check role specific actions`
Fix client lint issues except those which are comment related 2017-05-16 23:37:17 +08:00			`if (user.user.role === 'MODERATOR') {`
rework userPermissions to allow mixture of role/status based actions 2017-02-03 00:41:48 +08:00			`logger.debug('user permissions moderator case');`
			`result = result \|\| moderator[action];`
Fix client lint issues except those which are comment related 2017-05-16 23:37:17 +08:00			`} else if (user.user.role === 'VIEWER') {`
rework userPermissions to allow mixture of role/status based actions 2017-02-03 00:41:48 +08:00			`logger.debug('user permissions viewer case');`
			`result = result \|\| viewer(meetingId, userId)[action];`
			`}`
Autofixed most of the linter warnings related to the Airbnb JavaScript Style Guide. Conflicts: bigbluebutton-html5/client/globals.js bigbluebutton-html5/client/views/whiteboard/whiteboard.js bigbluebutton-html5/server/collection_methods/users.js bigbluebutton-html5/server/server.js 2016-03-14 09:46:29 +08:00
rework userPermissions to allow mixture of role/status based actions 2017-02-03 00:41:48 +08:00			`// check presenter actions`
			`if (user.user.presenter) {`
			`logger.debug('user permissions presenter case');`
			`result = result \|\| presenter[action];`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`}`
Corrections 2016-02-02 02:38:15 +08:00
rework userPermissions to allow mixture of role/status based actions 2017-02-03 00:41:48 +08:00			logger.debug(`attempt from userId=${userId} to perform:${action}, allowed=${result}`);

			`return result;`
Moved to ES2015. 2016-01-13 04:15:16 +08:00			`}`
Linter auto fix 2017-06-03 03:25:02 +08:00			logger.error(`FAILED due to permissions:${action} ${JSON.stringify(credentials)}`);
			`return false;`
			`}`