From 9f2441bd2c6ca9ce3baa37274093ec5e5666165d Mon Sep 17 00:00:00 2001 From: Samuel Couillard <43917914+scouillard@users.noreply.github.com> Date: Mon, 15 May 2023 14:03:55 -0400 Subject: [PATCH] fix(join meeting): Moderator are authorized to start the meeting (#5183) --- app/controllers/api/v1/meetings_controller.rb | 13 +++++++++++-- spec/controllers/meetings_controller_spec.rb | 15 +++++++++++++-- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/app/controllers/api/v1/meetings_controller.rb b/app/controllers/api/v1/meetings_controller.rb index 3b5126fac5..90ffdb0c7d 100644 --- a/app/controllers/api/v1/meetings_controller.rb +++ b/app/controllers/api/v1/meetings_controller.rb @@ -54,7 +54,7 @@ def status settings: %w[glRequireAuthentication glViewerAccessCode glModeratorAccessCode glAnyoneCanStart glAnyoneJoinAsModerator] ).call - return render_error status: :unauthorized if !current_user && settings['glRequireAuthentication'] == 'true' + return render_error status: :unauthorized if unauthorized_access?(settings) bbb_role = infer_bbb_role(mod_code: settings['glModeratorAccessCode'], viewer_code: settings['glViewerAccessCode'], @@ -66,7 +66,8 @@ def status status: BigBlueButtonApi.new(provider: current_provider).meeting_running?(room: @room) } - if !data[:status] && settings['glAnyoneCanStart'] == 'true' # Meeting isnt running and anyoneCanStart setting is enabled + # Starts meeting if meeting is not running and glAnyoneCanStart is enabled or user is a moderator + if !data[:status] && authorized_to_start_meeting?(settings, bbb_role) begin MeetingStarter.new(room: @room, base_url: request.base_url, current_user:, provider: current_provider).call rescue BigBlueButton::BigBlueButtonException => e @@ -122,6 +123,14 @@ def authorized_as_moderator?(mod_code:, viewer_code:, anyone_join_as_mod:) (anyone_join_as_mod && (access_code_validator(access_code: mod_code) || access_code_validator(access_code: viewer_code))) end + def authorized_to_start_meeting?(settings, bbb_role) + settings['glAnyoneCanStart'] == 'true' || bbb_role == 'Moderator' + end + + def unauthorized_access?(settings) + !current_user && settings['glRequireAuthentication'] == 'true' + end + def access_code_validator(access_code:) access_code.present? && params[:access_code].present? && access_code == params[:access_code] end diff --git a/spec/controllers/meetings_controller_spec.rb b/spec/controllers/meetings_controller_spec.rb index 21230bb124..8b1976773c 100644 --- a/spec/controllers/meetings_controller_spec.rb +++ b/spec/controllers/meetings_controller_spec.rb @@ -149,11 +149,12 @@ expect(JSON.parse(response.body)['data']).to eq({ 'joinUrl' => 'JOIN_URL', 'status' => true }) end - it 'returns status false if the meeting is NOT running' do + it 'returns status false if the meeting is NOT running and the user is NOT authorized to start the meeting' do allow_any_instance_of(BigBlueButtonApi).to receive(:meeting_running?).and_return(false) expect_any_instance_of(BigBlueButtonApi).not_to receive(:join_meeting) - post :status, params: { friendly_id: room.friendly_id, name: user.name } + post :status, params: { friendly_id: test_room.friendly_id, name: user.name } + expect(response).to have_http_status(:ok) expect(JSON.parse(response.body)['data']).to eq({ 'status' => false }) end @@ -184,6 +185,16 @@ post :status, params: { friendly_id: test_room.friendly_id, name: user.name } end + it 'starts the meeting if the user is a moderator' do + allow_any_instance_of(BigBlueButtonApi).to receive(:meeting_running?).and_return(false) + expect_any_instance_of(MeetingStarter).to receive(:call) + + post :status, params: { friendly_id: room.friendly_id, name: user.name } + + expect(response).to have_http_status(:ok) + expect(JSON.parse(response.body)['data']).to eq({ 'joinUrl' => 'JOIN_URL', 'status' => true }) + end + context 'user is joining a shared room' do before do guest_user.shared_rooms << room