Authorize users before updating their cursor positions

2024-11-07 20:31:06 -05:00 · 2014-11-24 12:05:05 +00:00 · 2014-11-24 12:05:05 +00:00 · 57a34e940e
commit 57a34e940e
parent a48c8aad92
2 changed files with 23 additions and 19 deletions
--- a/services/real-time/app/coffee/WebsocketController.coffee
+++ b/services/real-time/app/coffee/WebsocketController.coffee
@ -113,25 +113,28 @@ module.exports = WebsocketController =
 		], (error, {project_id, first_name, last_name, email, user_id}) ->
 			return callback(error) if error?
 			logger.log {user_id, project_id, client_id: client.id, cursorData: cursorData}, "updating client position"
-			cursorData.id      = client.id
-			cursorData.user_id = user_id if user_id?
-			cursorData.email   = email   if email?
-			if first_name? and last_name?
-				cursorData.name = first_name + " " + last_name
-				ConnectedUsersManager.updateUserPosition(project_id, client.id, {
-					first_name: first_name,
-					last_name:  last_name,
-					email:      email,
-					user_id:    user_id
-				}, {
-					row:    cursorData.row,
-					column: cursorData.column,
-					doc_id: cursorData.doc_id
-				}, callback)
-			else
-				cursorData.name = "Anonymous"
-				callback()
-			WebsocketLoadBalancer.emitToRoom(project_id, "clientTracking.clientUpdated", cursorData)
+					
+			AuthorizationManager.assertClientCanViewProject client, (error) ->
+				return callback(error) if error?
+				cursorData.id      = client.id
+				cursorData.user_id = user_id if user_id?
+				cursorData.email   = email   if email?
+				if first_name? and last_name?
+					cursorData.name = first_name + " " + last_name
+					ConnectedUsersManager.updateUserPosition(project_id, client.id, {
+						first_name: first_name,
+						last_name:  last_name,
+						email:      email,
+						user_id:    user_id
+					}, {
+						row:    cursorData.row,
+						column: cursorData.column,
+						doc_id: cursorData.doc_id
+					}, callback)
+				else
+					cursorData.name = "Anonymous"
+					callback()
+				WebsocketLoadBalancer.emitToRoom(project_id, "clientTracking.clientUpdated", cursorData)
 		
 	getConnectedUsers: (client, callback = (error, users) ->) ->
 		metrics.inc "editor.get-connected-users"
--- a/services/real-time/test/unit/coffee/WebsocketControllerTests.coffee
+++ b/services/real-time/test/unit/coffee/WebsocketControllerTests.coffee
@ -298,6 +298,7 @@ describe 'WebsocketController', ->
 		beforeEach ->
 			@WebsocketLoadBalancer.emitToRoom = sinon.stub()
 			@ConnectedUsersManager.updateUserPosition = sinon.stub().callsArgWith(4)
+			@AuthorizationManager.assertClientCanViewProject = sinon.stub().callsArgWith(1, null)
 			@update = {
 				doc_id: @doc_id = "doc-id-123"
 				row: @row = 42