From 14734372956fa5d6c6159ba8c4b00a90b80ea8d6 Mon Sep 17 00:00:00 2001 From: Wu Cheng-Han Date: Mon, 16 Jan 2017 23:47:53 +0800 Subject: Refactor checkViewPermission to fix limited & protected permission check bug and fix code style --- lib/realtime.js | 48 ++++++++++++++++++++++++++++-------------------- lib/response.js | 6 +++--- 2 files changed, 31 insertions(+), 23 deletions(-) (limited to 'lib') diff --git a/lib/realtime.js b/lib/realtime.js index 0f2a6680..fadea4f2 100644 --- a/lib/realtime.js +++ b/lib/realtime.js @@ -363,6 +363,22 @@ function interruptConnection(socket, note, user) { connectNextSocket(); } +function checkViewPermission(req, note) { + if (note.permission == 'private') { + if (req.user && req.user.logged_in && req.user.id == note.owner) + return true; + else + return false; + } else if (note.permission == 'limited' || note.permission == 'protected') { + if(req.user && req.user.logged_in) + return true; + else + return false; + } else { + return true; + } +} + var isConnectionBusy = false; var connectionSocketQueue = []; var isDisconnectBusy = false; @@ -373,14 +389,10 @@ function finishConnection(socket, note, user) { if (!socket || !note || !user) { return interruptConnection(socket, note, user); } - //check view permission - if (note.permission == 'limited' || note.permission == 'protected' || note.permission == 'private') { - if (socket.request.user && socket.request.user.logged_in && socket.request.user.id == note.owner) { - //na - } else { - interruptConnection(socket, note, user); - return failConnection(403, 'connection forbidden', socket); - } + // check view permission + if (!checkViewPermission(socket.request, note)) { + interruptConnection(socket, note, user); + return failConnection(403, 'connection forbidden', socket); } // update user color to author color if (note.authors[user.userid]) { @@ -789,18 +801,14 @@ function connection(socket) { for (var i = 0, l = note.socks.length; i < l; i++) { var sock = note.socks[i]; if (typeof sock !== 'undefined' && sock) { - //check view permission - if (permission == 'limited' || permission == 'protected' || permission == 'private') { - if (sock.request.user && sock.request.user.logged_in && sock.request.user.id == note.owner) { - //na - } else { - sock.emit('info', { - code: 403 - }); - setTimeout(function () { - sock.disconnect(true); - }, 0); - } + // check view permission + if (!checkViewPermission(sock.request, note)) { + sock.emit('info', { + code: 403 + }); + setTimeout(function () { + sock.disconnect(true); + }, 0); } } } diff --git a/lib/response.js b/lib/response.js index 57d6861d..585d1d54 100755 --- a/lib/response.js +++ b/lib/response.js @@ -127,10 +127,10 @@ function checkViewPermission(req, note) { else return true; } else if (note.permission == 'limited' || note.permission == 'protected') { - if( !req.isAuthenticated() ) { + if(!req.isAuthenticated()) return false; - } - return true; + else + return true; } else { return true; } -- cgit v1.2.3