add permission check to JSONcharacter

app/Routes/API.js

@@ -30,8 +30,14 @@ Router.map(function() {
 			this.response.setHeader("Content-Type", "application/json");
 			var query = this.params.query;
 			var key = query && query.key;
-			ifKeyValid(key, this.response, "jsonCharacterSheet", () =>
+			ifKeyValid(key, this.response, "jsonCharacterSheet", () => {
-				this.response.end(JSONExport(this.params._id))
+				if (canViewCharacter(this.params._id, userIdFromKey(key))){
+					this.response.end(JSONExport(this.params._id))
+				} else {
+					this.response.writeHead(403, "You do not have permission to view this character");
+					this.response.end();
+				}
+			}
 			);
 		},
 	});
@@ -62,6 +68,11 @@ var isKeyValid = function(apiKey){
 	return !blackListed;
 };
 
+var userIdFromKey = function(apiKey){
+	var user = Meteor.users.findOne({apiKey}); // we know user exists from isKeyValid
+	return user._id;
+}
+
 var rateLimiter = new RateLimiter();
 rateLimiter.addRule({apiKey: String}, 5, 5000);
 rateLimiter.addRule({apiKey: String, method: "vmixCharacter"}, 2, 10000);

app/lib/functions/permissions.js

@@ -9,10 +9,11 @@ canViewCharacter = function(charId, userId){
 	userId = userId || Meteor.userId();
 	var char = Characters.findOne(
 		charId,
-		{fields: {owner: 1, writers: 1, readers: 1}}
+		{fields: {owner: 1, writers: 1, readers: 1, "settings.viewPermission": 1}}
 	);
 	if (!char) return true;
 	return userId === char.owner ||
+		char.settings.viewPermission === "public" ||
 		_.contains(char.writers, userId) ||
 		_.contains(char.readers, userId);
 };