From ac3d627d15ebfe5e5f814e08a1bd6dddba3600fe Mon Sep 17 00:00:00 2001
From: Anton Georgiev <anto.georgiev@gmail.com>
Date: Fri, 30 Jul 2021 19:31:04 +0000
Subject: [PATCH] fix(guests): Propagate list of pending guests only to mods

---
 .../imports/api/guest-users/server/publishers.js   | 14 +++++++++++++-
 .../imports/api/polls/server/publishers.js         |  4 ++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/bigbluebutton-html5/imports/api/guest-users/server/publishers.js b/bigbluebutton-html5/imports/api/guest-users/server/publishers.js
index bc0b063a22..136559b95f 100644
--- a/bigbluebutton-html5/imports/api/guest-users/server/publishers.js
+++ b/bigbluebutton-html5/imports/api/guest-users/server/publishers.js
@@ -1,18 +1,30 @@
 import GuestUsers from '/imports/api/guest-users/';
+import Users from '/imports/api/users';
 import { Meteor } from 'meteor/meteor';
 import Logger from '/imports/startup/server/logger';
 import AuthTokenValidation, { ValidationStates } from '/imports/api/auth-token-validation';
 
+const ROLE_MODERATOR = Meteor.settings.public.user.role_moderator;
+
 function guestUsers() {
   const tokenValidation = AuthTokenValidation.findOne({ connectionId: this.connection.id });
 
   if (!tokenValidation || tokenValidation.validationStatus !== ValidationStates.VALIDATED) {
-    Logger.warn(`Publishing GuestUsers was requested by unauth connection ${this.connection.id}`);
+    Logger.warn(`Publishing GuestUser was requested by unauth connection ${this.connection.id}`);
     return GuestUsers.find({ meetingId: '' });
   }
 
   const { meetingId, userId } = tokenValidation;
 
+  const User = Users.findOne({ userId, meetingId }, { fields: { role: 1 } });
+  if (!User || User.role !== ROLE_MODERATOR) {
+    Logger.warn(
+      'Publishing current-poll was requested by non-moderator connection',
+      { meetingId, userId, connectionId: this.connection.id },
+    );
+    return GuestUsers.find({ meetingId: '' });
+  }
+
   Logger.debug(`Publishing GuestUsers for ${meetingId} ${userId}`);
 
   return GuestUsers.find({ meetingId });
diff --git a/bigbluebutton-html5/imports/api/polls/server/publishers.js b/bigbluebutton-html5/imports/api/polls/server/publishers.js
index 0fed60c677..620a73b22d 100644
--- a/bigbluebutton-html5/imports/api/polls/server/publishers.js
+++ b/bigbluebutton-html5/imports/api/polls/server/publishers.js
@@ -16,10 +16,10 @@ function currentPoll() {
   const { meetingId, userId } = tokenValidation;
 
   const User = Users.findOne({ userId, meetingId }, { fields: { role: 1 } });
-  if (!User || User.role != ROLE_MODERATOR) {
+  if (!User || User.role !== ROLE_MODERATOR) {
     Logger.warn(
       'Publishing current-poll was requested by non-moderator connection',
-      { meetingId, userId, connectionId: this.connection.id }
+      { meetingId, userId, connectionId: this.connection.id },
     );
     return Polls.find({ meetingId: '' });
   }
-- 
GitLab