Fix Acl for cursor/annotations for pods

2018-08-01 10:21:33 -03:00 · 2018-08-01 10:21:33 -03:00 · 3c2bb8748a
commit 3c2bb8748a
parent ce021e6776
5 changed files with 26 additions and 4 deletions
--- a/bigbluebutton-html5/imports/api/annotations/server/methods/clearWhiteboard.js
+++ b/bigbluebutton-html5/imports/api/annotations/server/methods/clearWhiteboard.js
@ -4,6 +4,8 @@ import RedisPubSub from '/imports/startup/server/redis';
 import { Meteor } from 'meteor/meteor';
 import { check } from 'meteor/check';

+import isPodPresenter from '/imports/api/presentation-pods/server/utils/isPodPresenter';
+
 export default function clearWhiteboard(credentials, whiteboardId) {
  const REDIS_CONFIG = Meteor.settings.private.redis;
  const CHANNEL = REDIS_CONFIG.channels.toAkkaApps;
@ -16,7 +18,8 @@ export default function clearWhiteboard(credentials, whiteboardId) {
  check(requesterToken, String);
  check(whiteboardId, String);

-  const allowed = Acl.can('methods.clearWhiteboard', credentials) || getMultiUserStatus(meetingId, whiteboardId);
+  const allowed = isPodPresenter(meetingId, whiteboardId, requesterUserId) 
+    || getMultiUserStatus(meetingId, whiteboardId);
  if (!allowed) {
    throw new Meteor.Error('not-allowed', `User ${requesterUserId} is not allowed to clear the whiteboard`);
  }
--- a/bigbluebutton-html5/imports/api/annotations/server/methods/sendAnnotation.js
+++ b/bigbluebutton-html5/imports/api/annotations/server/methods/sendAnnotation.js
@ -5,6 +5,8 @@ import { Meteor } from 'meteor/meteor';
 import { check } from 'meteor/check';
 import Annotations from '/imports/api/annotations';

+import isPodPresenter from '/imports/api/presentation-pods/server/utils/isPodPresenter';
+
 function isLastMessage(meetingId, annotation, userId) {
  const DRAW_END = Meteor.settings.public.whiteboard.annotations.status.end;

@ -43,7 +45,7 @@ export default function sendAnnotation(credentials, annotation) {
  // and then slide/presentation changes, the user lost presenter rights,
  // or multi-user whiteboard gets turned off
  // So we allow the last "DRAW_END" message to pass through, to finish the shape.
-  const allowed = Acl.can('methods.sendAnnotation', credentials) ||
+  const allowed =  isPodPresenter(meetingId, whiteboardId, requesterUserId) ||
    getMultiUserStatus(meetingId, whiteboardId) ||
    isLastMessage(meetingId, annotation, requesterUserId);

--- a/bigbluebutton-html5/imports/api/annotations/server/methods/undoAnnotation.js
+++ b/bigbluebutton-html5/imports/api/annotations/server/methods/undoAnnotation.js
@ -4,6 +4,8 @@ import RedisPubSub from '/imports/startup/server/redis';
 import { Meteor } from 'meteor/meteor';
 import { check } from 'meteor/check';

+import isPodPresenter from '/imports/api/presentation-pods/server/utils/isPodPresenter';
+
 export default function undoAnnotation(credentials, whiteboardId) {
  const REDIS_CONFIG = Meteor.settings.private.redis;
  const CHANNEL = REDIS_CONFIG.channels.toAkkaApps;
@ -16,7 +18,9 @@ export default function undoAnnotation(credentials, whiteboardId) {
  check(requesterToken, String);
  check(whiteboardId, String);

-  const allowed = Acl.can('methods.undoAnnotation', credentials) || getMultiUserStatus(meetingId, whiteboardId);
+  const allowed = isPodPresenter(meetingId, whiteboardId, requesterUserId)
+    || getMultiUserStatus(meetingId, whiteboardId);
+
  if (!allowed) {
    throw new Meteor.Error('not-allowed', `User ${requesterUserId} is not allowed to undo the annotation`);
  }
--- a/bigbluebutton-html5/imports/api/cursor/server/methods/publishCursorUpdate.js
+++ b/bigbluebutton-html5/imports/api/cursor/server/methods/publishCursorUpdate.js
@ -4,6 +4,7 @@ import Acl from '/imports/startup/acl';
 import { Meteor } from 'meteor/meteor';
 import { check } from 'meteor/check';

+import isPodPresenter from '/imports/api/presentation-pods/server/utils/isPodPresenter';

 export default function publishCursorUpdate(credentials, payload) {
  const REDIS_CONFIG = Meteor.settings.private.redis;
@ -21,7 +22,10 @@ export default function publishCursorUpdate(credentials, payload) {
    whiteboardId: String,
  });

-  const allowed = Acl.can('methods.moveCursor', credentials) || getMultiUserStatus(meetingId, payload.whiteboardId);
+  const { whiteboardId } = payload;
+
+  const allowed = isPodPresenter(meetingId, whiteboardId, requesterUserId)
+    || getMultiUserStatus(meetingId, whiteboardId);
  if (!allowed) {
    throw new Meteor.Error('not-allowed', `User ${requesterUserId} is not allowed to move the cursor`);
  }
--- a/bigbluebutton-html5/imports/api/presentation-pods/server/utils/isPodPresenter.js
+++ b/bigbluebutton-html5/imports/api/presentation-pods/server/utils/isPodPresenter.js
@ -0,0 +1,9 @@
+import Slides from '/imports/api/slides';
+import PresentationPods from '/imports/api/presentation-pods';
+
+export default function isPodPresenter(meetingId, whiteboardId, userId) {
+  const slide = Slides.findOne({ meetingId, id: whiteboardId });
+  const pod = PresentationPods.findOne({ meetingId, podId: slide.podId });
+
+  return pod.currentPresenterId === userId;
+}