diff --git a/app/.meteor/release b/app/.meteor/release index a94c167a..019e3aef 100644 --- a/app/.meteor/release +++ b/app/.meteor/release @@ -1 +1 @@ -METEOR@1.11 +METEOR@1.11.1 diff --git a/app/.meteor/versions b/app/.meteor/versions index 229799c3..eef98fe2 100644 --- a/app/.meteor/versions +++ b/app/.meteor/versions @@ -10,7 +10,7 @@ akryum:vue-component@0.15.2 akryum:vue-component-dev-client@0.4.7 akryum:vue-component-dev-server@0.1.4 akryum:vue-router2@0.2.3 -aldeed:collection2@3.2.0 +aldeed:collection2@3.2.1 aldeed:schema-index@3.0.0 allow-deny@1.1.0 autoupdate@1.6.0 @@ -20,7 +20,7 @@ base64@1.0.12 binary-heap@1.0.11 blaze@2.3.4 blaze-tools@1.0.10 -boilerplate-generator@1.7.0 +boilerplate-generator@1.7.1 bozhao:link-accounts@2.2.1 caching-compiler@1.2.2 caching-html-compiler@1.1.3 @@ -38,7 +38,7 @@ ddp-rate-limiter@1.0.9 ddp-server@2.3.2 deps@1.0.12 diff-sequence@1.1.1 -dynamic-import@0.5.2 +dynamic-import@0.5.3 ecmascript@0.14.3 ecmascript-runtime@0.7.0 ecmascript-runtime-client@0.11.0 @@ -73,7 +73,7 @@ meteortesting:browser-tests@1.3.4 meteortesting:mocha@1.1.5 meteortesting:mocha-core@7.0.1 mikowals:batch-insert@1.2.0 -minifier-css@1.5.2 +minifier-css@1.5.3 minifier-js@2.6.0 minimongo@1.6.0 mobile-experience@1.1.0 @@ -81,14 +81,14 @@ mobile-status-bar@1.1.0 modern-browsers@0.1.5 modules@0.15.0 modules-runtime@0.12.0 -momentjs:moment@2.27.0 +momentjs:moment@2.29.1 mongo@1.10.0 mongo-decimal@0.1.1 mongo-dev-server@1.1.0 mongo-id@1.0.7 npm-bcrypt@0.9.3 -npm-mongo@3.8.0 -oauth@1.3.0 +npm-mongo@3.8.1 +oauth@1.3.2 oauth2@1.3.0 observe-sequence@1.0.16 ongoworks:speakingurl@9.0.0 @@ -111,7 +111,7 @@ reactive-var@1.0.11 reload@1.3.0 retry@1.1.0 routepolicy@1.1.0 -seba:minifiers-autoprefixer@1.1.2 +seba:minifiers-autoprefixer@1.2.1 service-configuration@1.0.11 session@1.2.0 sha@1.0.9 diff --git a/app/imports/api/creature/creaturePermissions.js b/app/imports/api/creature/creaturePermissions.js index c01d8812..8496d519 100644 --- a/app/imports/api/creature/creaturePermissions.js +++ b/app/imports/api/creature/creaturePermissions.js @@ -24,6 +24,6 @@ export function assertEditPermission(creature, userId) { } export function assertViewPermission(creature, userId) { - creature = getCreature(creature, {owner: 1, writers: 1, public: 1}); + creature = getCreature(creature, {owner: 1, readers:1, writers: 1, public: 1}); viewPermission(creature, userId); } diff --git a/app/imports/api/sharing/sharingPermissions.js b/app/imports/api/sharing/sharingPermissions.js index 806e8f4c..9c5739a9 100644 --- a/app/imports/api/sharing/sharingPermissions.js +++ b/app/imports/api/sharing/sharingPermissions.js @@ -99,7 +99,7 @@ export function assertViewPermission(doc, userId) { return true; } else { throw new Meteor.Error('View permission denied', - 'You do not have permission to view this character'); + 'You do not have permission to view this document'); } } diff --git a/app/imports/server/publications/characterList.js b/app/imports/server/publications/characterList.js index 426019e3..34bdd0da 100644 --- a/app/imports/server/publications/characterList.js +++ b/app/imports/server/publications/characterList.js @@ -5,7 +5,7 @@ Meteor.publish('characterList', function(){ this.autorun(function (){ var userId = this.userId; if (!userId) { - return this.ready(); + return []; } const user = Meteor.users.findOne(this.userId, { fields: {subscribedCharacters: 1} diff --git a/app/imports/server/publications/experiences.js b/app/imports/server/publications/experiences.js index b268c2ba..ef847bd2 100644 --- a/app/imports/server/publications/experiences.js +++ b/app/imports/server/publications/experiences.js @@ -1,6 +1,7 @@ import SimpleSchema from 'simpl-schema'; import Creatures from '/imports/api/creature/Creatures.js'; import Experiences from '/imports/api/creature/experience/Experiences.js'; +import { assertViewPermission } from '/imports/api/creature/creaturePermissions.js'; let schema = new SimpleSchema({ creatureId: { @@ -13,6 +14,9 @@ Meteor.publish('experiences', function(creatureId){ schema.validate({ creatureId }); this.autorun(function (){ let userId = this.userId; + if (!userId) { + return []; + } let creatureCursor = Creatures.find({ _id: creatureId, $or: [ @@ -22,7 +26,11 @@ Meteor.publish('experiences', function(creatureId){ {public: true}, ], }); - if (!creatureCursor.count()) return this.ready(); + try { + assertViewPermission(creatureCursor.fetch()[0], this.userId); + } catch (e){ + return []; + } return [ Experiences.find({ creatureId, diff --git a/app/imports/server/publications/library.js b/app/imports/server/publications/library.js index dd18a826..7650f841 100644 --- a/app/imports/server/publications/library.js +++ b/app/imports/server/publications/library.js @@ -12,10 +12,11 @@ Meteor.publish('standardLibraries', function(){ Meteor.publish('libraries', function(){ this.autorun(function (){ - if (!this.userId) { - return this.ready(); + let userId = this.userId; + if (!userId) { + return []; } - const user = Meteor.users.findOne(this.userId, { + const user = Meteor.users.findOne(userId, { fields: {subscribedLibraries: 1} }); const subs = user && user.subscribedLibraries || []; diff --git a/app/imports/server/publications/singleCharacter.js b/app/imports/server/publications/singleCharacter.js index eaeee22e..de2de40e 100644 --- a/app/imports/server/publications/singleCharacter.js +++ b/app/imports/server/publications/singleCharacter.js @@ -2,6 +2,7 @@ import SimpleSchema from 'simpl-schema'; import Creatures from '/imports/api/creature/Creatures.js'; import CreatureProperties from '/imports/api/creature/CreatureProperties.js'; import CreatureLogs from '/imports/api/creature/log/CreatureLogs.js'; +import { assertViewPermission } from '/imports/api/creature/creaturePermissions.js'; let schema = new SimpleSchema({ creatureId: { @@ -14,6 +15,9 @@ Meteor.publish('singleCharacter', function(creatureId){ schema.validate({ creatureId }); this.autorun(function (){ let userId = this.userId; + if (!userId) { + return []; + } let creatureCursor = Creatures.find({ _id: creatureId, $or: [ @@ -23,7 +27,11 @@ Meteor.publish('singleCharacter', function(creatureId){ {public: true}, ], }); - if (!creatureCursor.count()) return this.ready(); + try { + assertViewPermission(creatureCursor.fetch()[0], userId); + } catch (e){ + return []; + } return [ creatureCursor, CreatureProperties.find({ diff --git a/app/imports/server/publications/slotFillers.js b/app/imports/server/publications/slotFillers.js index 9d297293..cd3804d5 100644 --- a/app/imports/server/publications/slotFillers.js +++ b/app/imports/server/publications/slotFillers.js @@ -4,17 +4,18 @@ import CreatureProperties from '/imports/api/creature/CreatureProperties.js'; Meteor.publish('slotFillers', function(slotId){ this.autorun(function (){ - if (!this.userId) { - return this.ready(); + let userId = this.userId; + if (!userId) { + return []; } // Get the slot let slot = CreatureProperties.findOne(slotId); if (!slot){ - return this.ready() + return []; } // Get all the ids of libraries the user can access - const user = Meteor.users.findOne(this.userId, { + const user = Meteor.users.findOne(userId, { fields: {subscribedLibraries: 1} }); const subs = user && user.subscribedLibraries || []; diff --git a/app/imports/server/publications/tabletops.js b/app/imports/server/publications/tabletops.js index 3f2ac41d..b6fc4ea1 100644 --- a/app/imports/server/publications/tabletops.js +++ b/app/imports/server/publications/tabletops.js @@ -5,7 +5,7 @@ import Messages from '/imports/api/tabletop/Messages.js'; Meteor.publish('tabletops', function(){ var userId = this.userId; if (!userId) { - return this.ready(); + return []; } return Tabletops.find({ $or: [ @@ -18,7 +18,7 @@ Meteor.publish('tabletops', function(){ Meteor.publish('tabletop', function(tabletopId){ var userId = this.userId; if (!userId) { - return this.ready(); + return []; } this.autorun(function (){ let tabletopCursor = Tabletops.find({ @@ -30,7 +30,7 @@ Meteor.publish('tabletop', function(tabletopId){ }); let tabletop = tabletopCursor.fetch()[0]; if (!tabletop){ - return this.ready(); + return []; } // Warning, this leaks data to users of the same tabletop who may not have // read permission of this specific creature, so publish as few fields as