From 21cb175d4085c3cb136857ff6fae9d50fbae15d1 Mon Sep 17 00:00:00 2001
From: Anton Georgiev <anto.georgiev@gmail.com>
Date: Fri, 30 Jul 2021 16:47:01 +0000
Subject: [PATCH] fix(polls): Avoid viewer manually subscribing to current-poll

---
 .../imports/api/polls/server/publishers.js            | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/bigbluebutton-html5/imports/api/polls/server/publishers.js b/bigbluebutton-html5/imports/api/polls/server/publishers.js
index 85bbd08b06..0fed60c677 100644
--- a/bigbluebutton-html5/imports/api/polls/server/publishers.js
+++ b/bigbluebutton-html5/imports/api/polls/server/publishers.js
@@ -1,8 +1,10 @@
 import { Meteor } from 'meteor/meteor';
 import Logger from '/imports/startup/server/logger';
+import Users from '/imports/api/users';
 import Polls from '/imports/api/polls';
 import AuthTokenValidation, { ValidationStates } from '/imports/api/auth-token-validation';
 
+const ROLE_MODERATOR = Meteor.settings.public.user.role_moderator;
 function currentPoll() {
   const tokenValidation = AuthTokenValidation.findOne({ connectionId: this.connection.id });
 
@@ -13,6 +15,15 @@ function currentPoll() {
 
   const { meetingId, userId } = tokenValidation;
 
+  const User = Users.findOne({ userId, meetingId }, { fields: { role: 1 } });
+  if (!User || User.role != ROLE_MODERATOR) {
+    Logger.warn(
+      'Publishing current-poll was requested by non-moderator connection',
+      { meetingId, userId, connectionId: this.connection.id }
+    );
+    return Polls.find({ meetingId: '' });
+  }
+
   Logger.debug('Publishing Polls', { meetingId, userId });
 
   const selector = {
-- 
GitLab