From cd4150ebf5404548cf081e8631b90d88af127959 Mon Sep 17 00:00:00 2001 From: Oleksandr Zhurbenko Date: Wed, 9 Aug 2017 20:59:53 -0700 Subject: [PATCH] Adjusted permissions for the multi-user cursorMove --- .../imports/api/2.0/cursor/server/methods.js | 5 ++-- .../server/methods/publishCursorUpdate.js | 28 ++++++++++++------- .../imports/api/common/server/helpers.js | 19 +++++++++---- 3 files changed, 34 insertions(+), 18 deletions(-) diff --git a/bigbluebutton-html5/imports/api/2.0/cursor/server/methods.js b/bigbluebutton-html5/imports/api/2.0/cursor/server/methods.js index 3b2b45bb77..f64fb9677e 100755 --- a/bigbluebutton-html5/imports/api/2.0/cursor/server/methods.js +++ b/bigbluebutton-html5/imports/api/2.0/cursor/server/methods.js @@ -1,7 +1,6 @@ import { Meteor } from 'meteor/meteor'; -import mapToAcl from '/imports/startup/mapToAcl'; import publishCursorUpdate from './methods/publishCursorUpdate'; -Meteor.methods(mapToAcl(['methods.moveCursor'], { +Meteor.methods({ publishCursorUpdate, -})); +}); diff --git a/bigbluebutton-html5/imports/api/2.0/cursor/server/methods/publishCursorUpdate.js b/bigbluebutton-html5/imports/api/2.0/cursor/server/methods/publishCursorUpdate.js index 290d2182ec..9cb8a666bc 100755 --- a/bigbluebutton-html5/imports/api/2.0/cursor/server/methods/publishCursorUpdate.js +++ b/bigbluebutton-html5/imports/api/2.0/cursor/server/methods/publishCursorUpdate.js @@ -1,7 +1,10 @@ +import { getMultiUserStatus } from '/imports/api/common/server/helpers'; import RedisPubSub from '/imports/startup/server/redis2x'; +import Acl from '/imports/startup/acl'; import { Meteor } from 'meteor/meteor'; import { check } from 'meteor/check'; + export default function publishCursorUpdate(credentials, coordinates) { const REDIS_CONFIG = Meteor.settings.redis; const CHANNEL = REDIS_CONFIG.channels.toAkkaApps; @@ -17,16 +20,21 @@ export default function publishCursorUpdate(credentials, coordinates) { yPercent: Number, }); - const header = { - name: EVENT_NAME, - userId: requesterUserId, - meetingId, - }; + if (Acl.can('methods.moveCursor', credentials) || getMultiUserStatus(meetingId)) { + const header = { + name: EVENT_NAME, + userId: requesterUserId, + meetingId, + }; - const payload = { - xPercent: coordinates.xPercent, - yPercent: coordinates.yPercent, - }; + const payload = { + xPercent: coordinates.xPercent, + yPercent: coordinates.yPercent, + }; - return RedisPubSub.publish(CHANNEL, EVENT_NAME, meetingId, payload, header); + return RedisPubSub.publish(CHANNEL, EVENT_NAME, meetingId, payload, header); + } + throw new Meteor.Error( + 'not-allowed', `User ${requesterUserId} is not allowed to move the cursor`, + ); } diff --git a/bigbluebutton-html5/imports/api/common/server/helpers.js b/bigbluebutton-html5/imports/api/common/server/helpers.js index 9d65f301a6..7517e6666f 100755 --- a/bigbluebutton-html5/imports/api/common/server/helpers.js +++ b/bigbluebutton-html5/imports/api/common/server/helpers.js @@ -1,10 +1,9 @@ -import { logger } from '/imports/startup/server/logger'; import { redisPubSub } from '/imports/startup/server'; -import { BREAK_LINE, CARRIAGE_RETURN, NEW_LINE } from '/imports/utils/lineEndings.js'; +import { BREAK_LINE, CARRIAGE_RETURN, NEW_LINE } from '/imports/utils/lineEndings'; +import WhiteboardMultiUser from '/imports/api/2.0/whiteboard-multi-user/'; export function appendMessageHeader(eventName, messageObj) { - let header; - header = { + const header = { timestamp: new Date().getTime(), name: eventName, }; @@ -13,7 +12,7 @@ export function appendMessageHeader(eventName, messageObj) { } export const indexOf = [].indexOf || function (item) { - for (let i = 0, l = this.length; i < l; i++) { + for (let i = 0, l = this.length; i < l; i += 1) { if (i in this && this[i] === item) { return i; } @@ -38,3 +37,13 @@ export const translateHTML5ToFlash = function (message) { export const inReplyToHTML5Client = function (arg) { return arg.routing.userId === 'nodeJSapp'; }; + +export const getMultiUserStatus = (meetingId) => { + const data = WhiteboardMultiUser.findOne({ meetingId }); + + if (data) { + return data.multiUser; + } + + return false; +};