fix(polls): Avoid viewer manually subscribing to current-poll

21cb175d · Anton Georgiev · aa0ea219 · 21cb175d
Commit 21cb175d authored 3 years ago by Anton Georgiev
--- a/bigbluebutton-html5/imports/api/polls/server/publishers.js
+++ b/bigbluebutton-html5/imports/api/polls/server/publishers.js
 import { Meteor } from 'meteor/meteor';
 import Logger from '/imports/startup/server/logger';
+import Users from '/imports/api/users';
 import Polls from '/imports/api/polls';
 import AuthTokenValidation, { ValidationStates } from '/imports/api/auth-token-validation';
+const ROLE_MODERATOR = Meteor.settings.public.user.role_moderator;
 function currentPoll() {
  const tokenValidation = AuthTokenValidation.findOne({ connectionId: this.connection.id });
@@ -13,6 +15,15 @@ function currentPoll() {
  const { meetingId, userId } = tokenValidation;
+  const User = Users.findOne({ userId, meetingId }, { fields: { role: 1 } });
+  if (!User || User.role != ROLE_MODERATOR) {
+    Logger.warn(
+      'Publishing current-poll was requested by non-moderator connection',
+      { meetingId, userId, connectionId: this.connection.id }
+    );
+    return Polls.find({ meetingId: '' });
+  }
  Logger.debug('Publishing Polls', { meetingId, userId });
  const selector = {