From 216e502c8a34208e3c215361fe179ca856136fc6 Mon Sep 17 00:00:00 2001 From: Andrew Zhu Date: Thu, 7 Jun 2018 01:38:29 -0700 Subject: [PATCH] add permission check to JSONcharacter --- app/Routes/API.js | 15 +++++++++++++-- app/lib/functions/permissions.js | 3 ++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/app/Routes/API.js b/app/Routes/API.js index 9978728c..313608a5 100644 --- a/app/Routes/API.js +++ b/app/Routes/API.js @@ -30,8 +30,14 @@ Router.map(function() { this.response.setHeader("Content-Type", "application/json"); var query = this.params.query; var key = query && query.key; - ifKeyValid(key, this.response, "jsonCharacterSheet", () => - this.response.end(JSONExport(this.params._id)) + ifKeyValid(key, this.response, "jsonCharacterSheet", () => { + if (canViewCharacter(this.params._id, userIdFromKey(key))){ + this.response.end(JSONExport(this.params._id)) + } else { + this.response.writeHead(403, "You do not have permission to view this character"); + this.response.end(); + } + } ); }, }); @@ -62,6 +68,11 @@ var isKeyValid = function(apiKey){ return !blackListed; }; +var userIdFromKey = function(apiKey){ + var user = Meteor.users.findOne({apiKey}); // we know user exists from isKeyValid + return user._id; +} + var rateLimiter = new RateLimiter(); rateLimiter.addRule({apiKey: String}, 5, 5000); rateLimiter.addRule({apiKey: String, method: "vmixCharacter"}, 2, 10000); diff --git a/app/lib/functions/permissions.js b/app/lib/functions/permissions.js index 9e658d03..8f160297 100644 --- a/app/lib/functions/permissions.js +++ b/app/lib/functions/permissions.js @@ -9,10 +9,11 @@ canViewCharacter = function(charId, userId){ userId = userId || Meteor.userId(); var char = Characters.findOne( charId, - {fields: {owner: 1, writers: 1, readers: 1}} + {fields: {owner: 1, writers: 1, readers: 1, "settings.viewPermission": 1}} ); if (!char) return true; return userId === char.owner || + char.settings.viewPermission === "public" || _.contains(char.writers, userId) || _.contains(char.readers, userId); };