infra
/
cryptpad
2
1
Fork 0
Code Issues Pull Requests Projects Releases 1 Activity

Fix team access rights

Browse Source
pull/1/head
yflory 4 years ago
parent abeadb59e1
commit 98579cfa25
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File

2
www/common/outer/roster.js
Unescape Escape View File

@ -67,6 +67,8 @@ var factory = function (Util, Hash, CPNetflux, Sortify, nThen, Crypto) {
if (authorRole === 'OWNER') { return true; } if (authorRole === 'OWNER') { return true; }
// admins can add other admins or members or viewers // admins can add other admins or members or viewers
if (authorRole === "ADMIN") { return ['ADMIN', 'MEMBER', 'VIEWER'].indexOf(role) !== -1; } if (authorRole === "ADMIN") { return ['ADMIN', 'MEMBER', 'VIEWER'].indexOf(role) !== -1; }
// members can demote themselves to viewer (they can only describe themselves)
if (authorRole === "MEMBER") { return role === 'VIEWER'; }
// (MEMBER, other) can't add anyone of any role // (MEMBER, other) can't add anyone of any role
return false; return false;
}; };

23
www/common/outer/team.js
Unescape Escape View File

@ -491,6 +491,7 @@ define([
Feedback.send("ROSTER_CORRUPTED"); Feedback.send("ROSTER_CORRUPTED");
return; return;
} }
// Kicked from the team
if (!state.members[me]) { if (!state.members[me]) {
lm.stop(); lm.stop();
roster.stop(); roster.stop();
@ -499,6 +500,25 @@ define([
ctx.updateMetadata(); ctx.updateMetadata();
cb({error: 'EFORBIDDEN'}); cb({error: 'EFORBIDDEN'});
waitFor.abort(); waitFor.abort();
return;
}
// Check access rights
// If we're not a viewer, make sure we have edit rights
var s = state.members[me];
if (!teamData.hash && ['ADMIN', 'MEMBER'].indexOf(s.role) !== -1) {
console.warn("Missing edit rights: demote to viewer");
var data = {};
data[ctx.store.proxy.curvePublic] = {
role: "VIEWER"
};
roster.describe(data, function (err) {
Feedback.send("TEAM_RIGHTS_FIXED");
if (!err) { return; }
if (err === 'NO_CHANGE') { return; }
console.error(err);
});
} else if (!teamData.hash && s.role === "OWNER") {
Feedback.send("TEAM_RIGHTS_OWNER");
} }
}).nThen(function () { }).nThen(function () {
onReady(ctx, id, lm, roster, keys, null, cb); onReady(ctx, id, lm, roster, keys, null, cb);
@ -1690,14 +1710,17 @@ define([
// Team already found. If this one has better access rights, keep it. // Team already found. If this one has better access rights, keep it.
// Otherwise, delete it // Otherwise, delete it
ctx.store.proxy.duplicateTeams = ctx.store.proxy.duplicateTeams || {};
// No edit right or we already had edit rights? delete // No edit right or we already had edit rights? delete
if (!t.hash || (!t.owner && _t.edit) || _t.owner) { if (!t.hash || (!t.owner && _t.edit) || _t.owner) {
ctx.store.proxy.duplicateTeams[id] = teams[id];
delete teams[id]; delete teams[id];
return; return;
} }
// We didn't have edit rights and now we have them: replace // We didn't have edit rights and now we have them: replace
ctx.store.proxy.duplicateTeams[_t.id] = teams[_t.id];
delete teams[_t.id]; delete teams[_t.id];
_teams[t.channel] = { edit: Boolean(t.hash), owner: t.owner, id:id }; _teams[t.channel] = { edit: Boolean(t.hash), owner: t.owner, id:id };
}); });

Write Preview
Loading…
Cancel
Save