wip: publications

Author: Julusian

meteor/server/api/blueprints/api.ts

@@ -20,7 +20,6 @@ import { parseVersion } from '../../systemStatus/semverUtils'
 import { evalBlueprint } from './cache'
 import { removeSystemStatus } from '../../systemStatus/systemStatus'
 import { MethodContext, MethodContextAPI } from '../methodContext'
-import { OrganizationReadAccess } from '../../security/organization'
 import { generateTranslationBundleOriginId, upsertBundles } from '../translationsBundles'
 import { BlueprintId, OrganizationId, ShowStyleBaseId } from '@sofie-automation/corelib/dist/dataModel/Ids'
 import { Blueprints, CoreSystem, ShowStyleBases, ShowStyleVariants, Studios } from '../../collections'
@@ -371,9 +370,6 @@ async function assignSystemBlueprint(methodContext: MethodContext, blueprintId:
 		const blueprint = await fetchBlueprintLight(blueprintId)
 		if (!blueprint) throw new Meteor.Error(404, 'Blueprint not found')
 
-		if (blueprint.organizationId)
-			await OrganizationReadAccess.organizationContent(blueprint.organizationId, { userId: methodContext.userId })
-
 		if (blueprint.blueprintType !== BlueprintManifestType.SYSTEM)
 			throw new Meteor.Error(404, 'Blueprint not of type SYSTEM')
 

meteor/server/api/heapSnapshot.ts

@@ -7,14 +7,11 @@ import { fixValidPath } from '../lib/lib'
 import { sleep } from '../lib/lib'
 import { stringifyError } from '@sofie-automation/shared-lib/dist/lib/stringifyError'
 import { logger } from '../logging'
-import { Settings } from '../Settings'
-import { Credentials } from '../security/lib/credentials'
-import { SystemWriteAccess } from '../security/system'
+import { assertConnectionIsDeveloper, RequestCredentials } from '../security/auth'
+
+async function retrieveHeapSnapshot(cred: RequestCredentials): Promise<Readable> {
+	assertConnectionIsDeveloper(cred)
 
-async function retrieveHeapSnapshot(cred0: Credentials): Promise<Readable> {
-	if (Settings.enableUserAccounts) {
-		await SystemWriteAccess.coreSystem(cred0)
-	}
 	logger.warn('Taking heap snapshot, expect system to be unresponsive for a few seconds..')
 	await sleep(100) // Allow the logger to catch up before continuing..
 
@@ -51,19 +48,9 @@ async function handleKoaResponse(ctx: Koa.ParameterizedContext, snapshotFcn: ()
 	}
 }
 
-// For backwards compatibility:
-if (!Settings.enableUserAccounts) {
-	// Retrieve heap snapshot:
-	heapSnapshotPrivateApiRouter.get('/retrieve', async (ctx) => {
-		return handleKoaResponse(ctx, async () => {
-			return retrieveHeapSnapshot({ userId: null })
-		})
-	})
-}
-
 // Retrieve heap snapshot:
-heapSnapshotPrivateApiRouter.get('/:token/retrieve', async (ctx) => {
+heapSnapshotPrivateApiRouter.get('/retrieve', async (ctx) => {
 	return handleKoaResponse(ctx, async () => {
-		return retrieveHeapSnapshot({ userId: null, token: ctx.params.token })
+		return retrieveHeapSnapshot(ctx)
 	})
 })

meteor/server/publications/buckets.ts

@@ -1,41 +1,36 @@
 import { FindOptions } from '@sofie-automation/meteor-lib/dist/collections/lib'
-import { BucketSecurity } from '../security/buckets'
 import { meteorPublish } from './lib'
 import { MeteorPubSub } from '@sofie-automation/meteor-lib/dist/api/pubsub'
 import { Bucket } from '@sofie-automation/meteor-lib/dist/collections/Buckets'
-import { StudioReadAccess } from '../security/studio'
-import { isProtectedString } from '@sofie-automation/corelib/dist/protectedString'
 import { BucketAdLibActions, BucketAdLibs, Buckets } from '../collections'
 import { check, Match } from 'meteor/check'
 import { StudioId, BucketId, ShowStyleVariantId } from '@sofie-automation/corelib/dist/dataModel/Ids'
 import { CorelibPubSub } from '@sofie-automation/corelib/dist/pubsub'
+import { triggerWriteAccessBecauseNoCheckNecessary } from '../security/lib/securityVerify'
 
 meteorPublish(
 	MeteorPubSub.buckets,
 	async function (studioId: StudioId, bucketId: BucketId | null, _token: string | undefined) {
 		check(studioId, String)
 		check(bucketId, Match.Maybe(String))
 
+		triggerWriteAccessBecauseNoCheckNecessary()
+
 		const modifier: FindOptions<Bucket> = {
 			fields: {},
 		}
-		if (
-			(await StudioReadAccess.studioContent(studioId, this)) ||
-			(isProtectedString(bucketId) && bucketId && (await BucketSecurity.allowReadAccess(this, bucketId)))
-		) {
-			return Buckets.findWithCursor(
-				bucketId
-					? {
-							_id: bucketId,
-							studioId,
-					  }
-					: {
-							studioId,
-					  },
-				modifier
-			)
-		}
-		return null
+
+		return Buckets.findWithCursor(
+			bucketId
+				? {
+						_id: bucketId,
+						studioId,
+				  }
+				: {
+						studioId,
+				  },
+			modifier
+		)
 	}
 )
 
@@ -46,23 +41,22 @@ meteorPublish(
 		check(bucketId, String)
 		check(showStyleVariantIds, Array)
 
-		if (isProtectedString(bucketId) && (await BucketSecurity.allowReadAccess(this, bucketId))) {
-			return BucketAdLibs.findWithCursor(
-				{
-					studioId: studioId,
-					bucketId: bucketId,
-					showStyleVariantId: {
-						$in: [null, ...showStyleVariantIds], // null = valid for all variants
-					},
+		triggerWriteAccessBecauseNoCheckNecessary()
+
+		return BucketAdLibs.findWithCursor(
+			{
+				studioId: studioId,
+				bucketId: bucketId,
+				showStyleVariantId: {
+					$in: [null, ...showStyleVariantIds], // null = valid for all variants
 				},
-				{
-					fields: {
-						ingestInfo: 0, // This is a large blob, and is not of interest to the UI
-					},
-				}
-			)
-		}
-		return null
+			},
+			{
+				fields: {
+					ingestInfo: 0, // This is a large blob, and is not of interest to the UI
+				},
+			}
+		)
 	}
 )
 
@@ -73,22 +67,21 @@ meteorPublish(
 		check(bucketId, String)
 		check(showStyleVariantIds, Array)
 
-		if (isProtectedString(bucketId) && (await BucketSecurity.allowReadAccess(this, bucketId))) {
-			return BucketAdLibActions.findWithCursor(
-				{
-					studioId: studioId,
-					bucketId: bucketId,
-					showStyleVariantId: {
-						$in: [null, ...showStyleVariantIds], // null = valid for all variants
-					},
+		triggerWriteAccessBecauseNoCheckNecessary()
+
+		return BucketAdLibActions.findWithCursor(
+			{
+				studioId: studioId,
+				bucketId: bucketId,
+				showStyleVariantId: {
+					$in: [null, ...showStyleVariantIds], // null = valid for all variants
 				},
-				{
-					fields: {
-						ingestInfo: 0, // This is a large blob, and is not of interest to the UI
-					},
-				}
-			)
-		}
-		return null
+			},
+			{
+				fields: {
+					ingestInfo: 0, // This is a large blob, and is not of interest to the UI
+				},
+			}
+		)
 	}
 )

meteor/server/publications/organization.ts

@@ -1,26 +1,28 @@
-import { meteorPublish, AutoFillSelector } from './lib'
+import { meteorPublish } from './lib'
 import { MeteorPubSub } from '@sofie-automation/meteor-lib/dist/api/pubsub'
 import { Blueprint } from '@sofie-automation/corelib/dist/dataModel/Blueprint'
 import { Evaluation } from '@sofie-automation/meteor-lib/dist/collections/Evaluations'
 import { SnapshotItem } from '@sofie-automation/meteor-lib/dist/collections/Snapshots'
 import { UserActionsLogItem } from '@sofie-automation/meteor-lib/dist/collections/UserActionsLog'
-import { OrganizationReadAccess } from '../security/organization'
 import { FindOptions } from '@sofie-automation/meteor-lib/dist/collections/lib'
 import { DBOrganization } from '@sofie-automation/meteor-lib/dist/collections/Organization'
-import { isProtectedString } from '@sofie-automation/corelib/dist/protectedString'
 import { Blueprints, Evaluations, Organizations, Snapshots, UserActionsLog } from '../collections'
 import { MongoQuery } from '@sofie-automation/corelib/dist/mongo'
 import { BlueprintId, OrganizationId } from '@sofie-automation/corelib/dist/dataModel/Ids'
 import { CorelibPubSub } from '@sofie-automation/corelib/dist/pubsub'
 import { check, Match } from '../lib/check'
 import { getCurrentTime } from '../lib/lib'
+import { triggerWriteAccessBecauseNoCheckNecessary } from '../security/lib/securityVerify'
 
 meteorPublish(
 	MeteorPubSub.organization,
-	async function (organizationId: OrganizationId | null, token: string | undefined) {
+	async function (organizationId: OrganizationId | null, _token: string | undefined) {
+		triggerWriteAccessBecauseNoCheckNecessary()
+
 		if (!organizationId) return null
 
-		const { cred, selector } = await AutoFillSelector.organizationId(this.userId, { _id: organizationId }, token)
+		const selector: MongoQuery<DBOrganization> = { _id: organizationId }
+
 		const modifier: FindOptions<DBOrganization> = {
 			fields: {
 				name: 1,
@@ -29,83 +31,70 @@ meteorPublish(
 				userRoles: 1, // to not expose too much information consider [`userRoles.${this.userId}`]: 1, and a method/publication for getting all the roles, or limiting the returned roles based on requesting user's role
 			},
 		}
-		if (
-			isProtectedString(selector.organizationId) &&
-			(!cred || (await OrganizationReadAccess.organizationContent(selector.organizationId, cred)))
-		) {
-			return Organizations.findWithCursor({ _id: selector.organizationId }, modifier)
-		}
-		return null
+
+		return Organizations.findWithCursor({ _id: selector.organizationId }, modifier)
 	}
 )
 
-meteorPublish(CorelibPubSub.blueprints, async function (blueprintIds: BlueprintId[] | null, token: string | undefined) {
-	check(blueprintIds, Match.Maybe(Array))
+meteorPublish(
+	CorelibPubSub.blueprints,
+	async function (blueprintIds: BlueprintId[] | null, _token: string | undefined) {
+		// nocommit - is this correct?
+		triggerWriteAccessBecauseNoCheckNecessary()
 
-	// If values were provided, they must have values
-	if (blueprintIds && blueprintIds.length === 0) return null
+		check(blueprintIds, Match.Maybe(Array))
 
-	const { cred, selector } = await AutoFillSelector.organizationId<Blueprint>(this.userId, {}, token)
+		// If values were provided, they must have values
+		if (blueprintIds && blueprintIds.length === 0) return null
 
-	// Add the requested filter
-	if (blueprintIds) selector._id = { $in: blueprintIds }
+		// Add the requested filter
+		const selector: MongoQuery<Blueprint> = {}
+		if (blueprintIds) selector._id = { $in: blueprintIds }
 
-	if (!cred || (await OrganizationReadAccess.organizationContent(selector.organizationId, cred))) {
 		return Blueprints.findWithCursor(selector, {
 			fields: {
 				code: 0,
 			},
 		})
 	}
-	return null
-})
-meteorPublish(MeteorPubSub.evaluations, async function (dateFrom: number, dateTo: number, token: string | undefined) {
-	const selector0: MongoQuery<Evaluation> = {
+)
+meteorPublish(MeteorPubSub.evaluations, async function (dateFrom: number, dateTo: number, _token: string | undefined) {
+	triggerWriteAccessBecauseNoCheckNecessary()
+
+	const selector: MongoQuery<Evaluation> = {
 		timestamp: {
 			$gte: dateFrom,
 			$lt: dateTo,
 		},
 	}
 
-	const { cred, selector } = await AutoFillSelector.organizationId<Evaluation>(this.userId, selector0, token)
-	if (!cred || (await OrganizationReadAccess.organizationContent(selector.organizationId, cred))) {
-		return Evaluations.findWithCursor(selector)
-	}
-	return null
+	return Evaluations.findWithCursor(selector)
 })
-meteorPublish(MeteorPubSub.snapshots, async function (token: string | undefined) {
-	const selector0: MongoQuery<SnapshotItem> = {
+meteorPublish(MeteorPubSub.snapshots, async function (_token: string | undefined) {
+	triggerWriteAccessBecauseNoCheckNecessary()
+
+	const selector: MongoQuery<SnapshotItem> = {
 		created: {
 			$gt: getCurrentTime() - 30 * 24 * 3600 * 1000, // last 30 days
 		},
 	}
 
-	const { cred, selector } = await AutoFillSelector.organizationId<SnapshotItem>(this.userId, selector0, token)
-	if (!cred || (await OrganizationReadAccess.organizationContent(selector.organizationId, cred))) {
-		return Snapshots.findWithCursor(selector)
-	}
-	return null
+	return Snapshots.findWithCursor(selector)
 })
 meteorPublish(
 	MeteorPubSub.userActionsLog,
-	async function (dateFrom: number, dateTo: number, token: string | undefined) {
-		const selector0: MongoQuery<UserActionsLogItem> = {
+	async function (dateFrom: number, dateTo: number, _token: string | undefined) {
+		triggerWriteAccessBecauseNoCheckNecessary()
+
+		const selector: MongoQuery<UserActionsLogItem> = {
 			timestamp: {
 				$gte: dateFrom,
 				$lt: dateTo,
 			},
 		}
 
-		const { cred, selector } = await AutoFillSelector.organizationId<UserActionsLogItem>(
-			this.userId,
-			selector0,
-			token
-		)
-		if (!cred || (await OrganizationReadAccess.organizationContent(selector.organizationId, cred))) {
-			return UserActionsLog.findWithCursor(selector, {
-				limit: 10_000, // this is to prevent having a publication that produces a very large array
-			})
-		}
-		return null
+		return UserActionsLog.findWithCursor(selector, {
+			limit: 10_000, // this is to prevent having a publication that produces a very large array
+		})
 	}
 )