Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add viewer privilage #274

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Add viewer privilage #274

wants to merge 2 commits into from

Conversation

rohith1222004
Copy link

I've made an update to our whiteboard application that adds a new "viewer" permission to the JWT payload. This update will allow us to restrict users to only viewing the whiteboard, without giving them editing capabilities.

lovasoa
lovasoa requested changes Apr 25, 2023
View reviewed changes
Copy link
Owner

@lovasoa lovasoa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for opening a PR !

However, it looks like the new implementation does not actually prevent the user from sending write commands to the socket.io handler. Users can actually write to the board even with a simple viewer token, the menu is just hidden in the ui

index.py Outdated
Comment on lines 1 to 11
# encode.py
import datetime
import jwt # import jwt library
SECRET_KEY = "test123"
# json data to encode
json_data = {
"roles": ["moderator:firstboard","viewer:hboard"]
}
encode_data = jwt.encode(payload=json_data, \
key=SECRET_KEY, algorithm="HS256")
print(encode_data)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# encode.py
import datetime
import jwt # import jwt library
SECRET_KEY = "test123"
# json data to encode
json_data = {
"roles": ["moderator:firstboard","viewer:hboard"]
}
encode_data = jwt.encode(payload=json_data, \
key=SECRET_KEY, algorithm="HS256")
print(encode_data)

We probably don't want to create a python script here

package.json Outdated
@@ -14,7 +14,7 @@
"jsonwebtoken": "^8.5.1",
"polyfill-library": "^3.107.1",
"serve-static": "^1.14.1",
"socket.io": "^4",
"socket.io": "^4.6.1",
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not seem to be linked to the current PR. You can open a distinct pr to update dependencies

server/templating.js
class BoardTemplate extends Template {
parameters(parsedUrl, request, isModerator) {
const params = super.parameters(parsedUrl, request, isModerator);
const parts = parsedUrl.pathname.split("boards/", 2);
console.log(parts[1]);
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
console.log(parts[1]);

server/templating.js
if (userRole === "viewer") {
params["hideMenu"] = true;
} else {
params["hideMenu"] = false;
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
params["hideMenu"] = false;
params["hideMenu"] = false;

you don't want to override that. keep the value from the query

@lovasoa lovasoa marked this pull request as draft April 26, 2023 07:46
@lovasoa
Copy link
Owner

lovasoa commented Apr 26, 2023

I've converted the PR to a draft, feel free to pass it back to "ready for review" when you want me to look at it again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lovasoa lovasoa lovasoa requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rohith1222004 @lovasoa