From 98579cfa250a0de13777936b2de88cec9a5c624a Mon Sep 17 00:00:00 2001 From: yflory Date: Tue, 20 Oct 2020 14:02:35 +0200 Subject: [PATCH] Fix team access rights --- www/common/outer/roster.js | 2 ++ www/common/outer/team.js | 23 +++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/www/common/outer/roster.js b/www/common/outer/roster.js index 1db1bf5c7..fa3a700e2 100644 --- a/www/common/outer/roster.js +++ b/www/common/outer/roster.js @@ -67,6 +67,8 @@ var factory = function (Util, Hash, CPNetflux, Sortify, nThen, Crypto) { if (authorRole === 'OWNER') { return true; } // admins can add other admins or members or viewers if (authorRole === "ADMIN") { return ['ADMIN', 'MEMBER', 'VIEWER'].indexOf(role) !== -1; } + // members can demote themselves to viewer (they can only describe themselves) + if (authorRole === "MEMBER") { return role === 'VIEWER'; } // (MEMBER, other) can't add anyone of any role return false; }; diff --git a/www/common/outer/team.js b/www/common/outer/team.js index 7370b1589..2dacca689 100644 --- a/www/common/outer/team.js +++ b/www/common/outer/team.js @@ -491,6 +491,7 @@ define([ Feedback.send("ROSTER_CORRUPTED"); return; } + // Kicked from the team if (!state.members[me]) { lm.stop(); roster.stop(); @@ -499,6 +500,25 @@ define([ ctx.updateMetadata(); cb({error: 'EFORBIDDEN'}); waitFor.abort(); + return; + } + // Check access rights + // If we're not a viewer, make sure we have edit rights + var s = state.members[me]; + if (!teamData.hash && ['ADMIN', 'MEMBER'].indexOf(s.role) !== -1) { + console.warn("Missing edit rights: demote to viewer"); + var data = {}; + data[ctx.store.proxy.curvePublic] = { + role: "VIEWER" + }; + roster.describe(data, function (err) { + Feedback.send("TEAM_RIGHTS_FIXED"); + if (!err) { return; } + if (err === 'NO_CHANGE') { return; } + console.error(err); + }); + } else if (!teamData.hash && s.role === "OWNER") { + Feedback.send("TEAM_RIGHTS_OWNER"); } }).nThen(function () { onReady(ctx, id, lm, roster, keys, null, cb); @@ -1690,14 +1710,17 @@ define([ // Team already found. If this one has better access rights, keep it. // Otherwise, delete it + ctx.store.proxy.duplicateTeams = ctx.store.proxy.duplicateTeams || {}; // No edit right or we already had edit rights? delete if (!t.hash || (!t.owner && _t.edit) || _t.owner) { + ctx.store.proxy.duplicateTeams[id] = teams[id]; delete teams[id]; return; } // We didn't have edit rights and now we have them: replace + ctx.store.proxy.duplicateTeams[_t.id] = teams[_t.id]; delete teams[_t.id]; _teams[t.channel] = { edit: Boolean(t.hash), owner: t.owner, id:id }; });