Skip to content

Add viewer privilage#274

Draft
rohith1222004 wants to merge 2 commits intolovasoa:masterfrom
rohith1222004:master
Draft

Add viewer privilage#274
rohith1222004 wants to merge 2 commits intolovasoa:masterfrom
rohith1222004:master

Conversation

@rohith1222004
Copy link

@rohith1222004 rohith1222004 commented Apr 25, 2023

I've made an update to our whiteboard application that adds a new "viewer" permission to the JWT payload. This update will allow us to restrict users to only viewing the whiteboard, without giving them editing capabilities.

lovasoa
lovasoa requested changes Apr 25, 2023
View reviewed changes
Copy link
Owner

@lovasoa lovasoa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for opening a PR !

However, it looks like the new implementation does not actually prevent the user from sending write commands to the socket.io handler. Users can actually write to the board even with a simple viewer token, the menu is just hidden in the ui

index.py Outdated
Comment on lines 1 to 11
# encode.py
import datetime
import jwt # import jwt library
SECRET_KEY = "test123"
# json data to encode
json_data = {
"roles": ["moderator:firstboard","viewer:hboard"]
}
encode_data = jwt.encode(payload=json_data, \
key=SECRET_KEY, algorithm="HS256")
print(encode_data) No newline at end of file
Copy link
Owner

@lovasoa lovasoa Apr 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# encode.py
import datetime
import jwt # import jwt library
SECRET_KEY = "test123"
# json data to encode
json_data = {
"roles": ["moderator:firstboard","viewer:hboard"]
}
encode_data = jwt.encode(payload=json_data, \
key=SECRET_KEY, algorithm="HS256")
print(encode_data)

We probably don't want to create a python script here

package.json Outdated
"polyfill-library": "^3.107.1",
"serve-static": "^1.14.1",
"socket.io": "^4",
"socket.io": "^4.6.1",
Copy link
Owner

@lovasoa lovasoa Apr 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not seem to be linked to the current PR. You can open a distinct pr to update dependencies

server/templating.js
parameters(parsedUrl, request, isModerator) {
const params = super.parameters(parsedUrl, request, isModerator);
const parts = parsedUrl.pathname.split("boards/", 2);
console.log(parts[1]);
Copy link
Owner

@lovasoa lovasoa Apr 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
console.log(parts[1]);

server/templating.js
if (userRole === "viewer") {
params["hideMenu"] = true;
} else {
params["hideMenu"] = false;
Copy link
Owner

@lovasoa lovasoa Apr 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
params["hideMenu"] = false;
params["hideMenu"] = false;

you don't want to override that. keep the value from the query

@lovasoa lovasoa marked this pull request as draft April 26, 2023 07:46
@lovasoa
Copy link
Owner

lovasoa commented Apr 26, 2023

I've converted the PR to a draft, feel free to pass it back to "ready for review" when you want me to look at it again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lovasoa lovasoa lovasoa requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rohith1222004 @lovasoa