From 6a6f6902825c4af7720858d6a57ec29fc5fc90fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ram=C3=B3n=20Souza?= <contato@ramonsouza.com>
Date: Wed, 8 Dec 2021 19:26:00 +0000
Subject: [PATCH] increase current-poll security

---
 .../imports/api/polls/server/publishers.js                | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/bigbluebutton-html5/imports/api/polls/server/publishers.js b/bigbluebutton-html5/imports/api/polls/server/publishers.js
index d2e9d63cb9..87cb867234 100644
--- a/bigbluebutton-html5/imports/api/polls/server/publishers.js
+++ b/bigbluebutton-html5/imports/api/polls/server/publishers.js
@@ -32,11 +32,12 @@ function currentPoll(secretPoll) {
 
   const User = Users.findOne({ userId, meetingId }, { fields: { role: 1, presenter: 1 } });
 
-  if (!!User && (User.role === ROLE_MODERATOR || User.presenter)) {
+  if (!!User && User.presenter) {
     Logger.debug('Publishing Polls', { meetingId, userId });
 
     const selector = {
       meetingId,
+      requester: userId,
     };
 
     const options = { fields: {} };
@@ -45,13 +46,16 @@ function currentPoll(secretPoll) {
 
     if ((hasPoll && hasPoll.secretPoll) || secretPoll) {
       options.fields.responses = 0;
+      selector.secretPoll = true;
+    } else {
+      selector.secretPoll = false;
     }
 
     return Polls.find(selector, options);
   }
 
   Logger.warn(
-    'Publishing current-poll was requested by non-moderator connection',
+    'Publishing current-poll was requested by non-presenter connection',
     { meetingId, userId, connectionId: this.connection.id },
   );
   return Polls.find({ meetingId: '' });