feat: check permissions in realtime code and frontend

Signed-off-by: Philip Molares <philip.molares@udo.edu> Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2025-05-15 23:54:42 -04:00 · 2023-03-26 14:51:18 +02:00 · 2023-03-26 14:51:18 +02:00 · c2f41118b6
commit c2f41118b6
parent 24f1b2a361
27 changed files with 287 additions and 66 deletions
--- a/backend/src/realtime/realtime-note/realtime-connection.spec.ts
+++ b/backend/src/realtime/realtime-note/realtime-connection.spec.ts
@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ * SPDX-FileCopyrightText: 2023 The HedgeDoc developers (see AUTHORS file)
 *
 * SPDX-License-Identifier: AGPL-3.0-only
 */
@ -53,6 +53,7 @@ describe('websocket connection', () => {
      mockedMessageTransporter,
      mockedUser,
      mockedRealtimeNote,
+      true,
    );
    expect(sut.getTransporter()).toBe(mockedMessageTransporter);
  });
@ -62,6 +63,7 @@ describe('websocket connection', () => {
      mockedMessageTransporter,
      mockedUser,
      mockedRealtimeNote,
+      true,
    );
    expect(sut.getRealtimeNote()).toBe(mockedRealtimeNote);
  });
@ -76,6 +78,7 @@ describe('websocket connection', () => {
      mockedMessageTransporter,
      mockedUser,
      mockedRealtimeNote,
+      true,
    );

    expect(sut.getRealtimeUserStateAdapter()).toBe(realtimeUserStatus);
@ -91,6 +94,7 @@ describe('websocket connection', () => {
      mockedMessageTransporter,
      mockedUser,
      mockedRealtimeNote,
+      true,
    );

    expect(sut.getSyncAdapter()).toBe(yDocSyncServerAdapter);
@ -101,6 +105,7 @@ describe('websocket connection', () => {
      mockedMessageTransporter,
      mockedUser,
      mockedRealtimeNote,
+      true,
    );

    const removeClientSpy = jest.spyOn(mockedRealtimeNote, 'removeClient');
@ -115,6 +120,7 @@ describe('websocket connection', () => {
      mockedMessageTransporter,
      mockedUser,
      mockedRealtimeNote,
+      true,
    );

    expect(sut.getUser()).toBe(mockedUser);
@ -127,6 +133,7 @@ describe('websocket connection', () => {
      mockedMessageTransporter,
      mockedUserWithUsername,
      mockedRealtimeNote,
+      true,
    );

    expect(sut.getDisplayName()).toBe('MockUser');
@ -143,6 +150,7 @@ describe('websocket connection', () => {
      mockedMessageTransporter,
      mockedUser,
      mockedRealtimeNote,
+      true,
    );

    expect(sut.getDisplayName()).toBe(randomName);
--- a/backend/src/realtime/realtime-note/realtime-connection.ts
+++ b/backend/src/realtime/realtime-note/realtime-connection.ts
@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ * SPDX-FileCopyrightText: 2023 The HedgeDoc developers (see AUTHORS file)
 *
 * SPDX-License-Identifier: AGPL-3.0-only
 */
@ -28,12 +28,14 @@ export class RealtimeConnection {
   * @param messageTransporter The message transporter that handles the communication with the client.
   * @param user The user of the client
   * @param realtimeNote The {@link RealtimeNote} that the client connected to.
+   * @param acceptEdits If edits by this connection should be accepted.
   * @throws Error if the socket is not open
   */
  constructor(
    messageTransporter: MessageTransporter,
    private user: User | null,
    private realtimeNote: RealtimeNote,
+    private acceptEdits: boolean,
  ) {
    this.displayName = user?.displayName ?? generateRandomName();
    this.transporter = messageTransporter;
@ -44,6 +46,7 @@ export class RealtimeConnection {
    this.yDocSyncAdapter = new YDocSyncServerAdapter(
      this.transporter,
      realtimeNote.getRealtimeDoc(),
+      acceptEdits,
    );
    this.realtimeUserStateAdapter = new RealtimeUserStatusAdapter(
      this.user?.username ?? null,
--- a/backend/src/realtime/websocket/websocket.gateway.spec.ts
+++ b/backend/src/realtime/websocket/websocket.gateway.spec.ts
@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ * SPDX-FileCopyrightText: 2023 The HedgeDoc developers (see AUTHORS file)
 *
 * SPDX-License-Identifier: AGPL-3.0-only
 */
@ -195,8 +195,18 @@ describe('Websocket gateway', () => {
        }
      });

-    const mockedNote = Mock.of<Note>({ id: 4711 });
-    const mockedGuestNote = Mock.of<Note>({ id: 1235 });
+    const mockedNote = Mock.of<Note>({
+      id: 4711,
+      owner: Promise.resolve(mockUser),
+      userPermissions: Promise.resolve([]),
+      groupPermissions: Promise.resolve([]),
+    });
+    const mockedGuestNote = Mock.of<Note>({
+      id: 1235,
+      owner: Promise.resolve(null),
+      userPermissions: Promise.resolve([]),
+      groupPermissions: Promise.resolve([]),
+    });
    jest
      .spyOn(notesService, 'getNoteByIdOrAlias')
      .mockImplementation((noteId: string) => {
--- a/backend/src/realtime/websocket/websocket.gateway.ts
+++ b/backend/src/realtime/websocket/websocket.gateway.ts
@ -1,9 +1,13 @@
 /*
- * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ * SPDX-FileCopyrightText: 2023 The HedgeDoc developers (see AUTHORS file)
 *
 * SPDX-License-Identifier: AGPL-3.0-only
 */
-import { WebsocketTransporter } from '@hedgedoc/commons';
+import {
+  NotePermissions,
+  userCanEdit,
+  WebsocketTransporter,
+} from '@hedgedoc/commons';
 import { OnGatewayConnection, WebSocketGateway } from '@nestjs/websockets';
 import { IncomingMessage } from 'http';
 import WebSocket from 'ws';
@ -77,10 +81,16 @@ export class WebsocketGateway implements OnGatewayConnection {
        await this.realtimeNoteService.getOrCreateRealtimeNote(note);

      const websocketTransporter = new WebsocketTransporter();
+      const permissions = await this.noteService.toNotePermissionsDto(note);
+      const acceptEdits: boolean = userCanEdit(
+        permissions as NotePermissions,
+        user?.username,
+      );
      const connection = new RealtimeConnection(
        websocketTransporter,
        user,
        realtimeNote,
+        acceptEdits,
      );
      websocketTransporter.setWebsocket(clientSocket);