wip: refine permissions for publications

Author: Julusian

meteor/server/publications/organization.ts

@@ -13,6 +13,7 @@ import { CorelibPubSub } from '@sofie-automation/corelib/dist/pubsub'
 import { check, Match } from '../lib/check'
 import { getCurrentTime } from '../lib/lib'
 import { triggerWriteAccessBecauseNoCheckNecessary } from '../security/securityVerify'
+import { assertConnectionHasOneOfPermissions } from '../security/auth'
 
 meteorPublish(
 	MeteorPubSub.organization,
@@ -39,8 +40,7 @@ meteorPublish(
 meteorPublish(
 	CorelibPubSub.blueprints,
 	async function (blueprintIds: BlueprintId[] | null, _token: string | undefined) {
-		// nocommit - is this correct?
-		triggerWriteAccessBecauseNoCheckNecessary()
+		assertConnectionHasOneOfPermissions(this.connection, 'configure')
 
 		check(blueprintIds, Match.Maybe(Array))
 
@@ -71,7 +71,7 @@ meteorPublish(MeteorPubSub.evaluations, async function (dateFrom: number, dateTo
 	return Evaluations.findWithCursor(selector)
 })
 meteorPublish(MeteorPubSub.snapshots, async function (_token: string | undefined) {
-	triggerWriteAccessBecauseNoCheckNecessary()
+	assertConnectionHasOneOfPermissions(this.connection, 'configure')
 
 	const selector: MongoQuery<SnapshotItem> = {
 		created: {

meteor/server/publications/packageManager/packageContainers.ts

@@ -5,9 +5,8 @@ import { MongoFieldSpecifierOnesStrict } from '@sofie-automation/corelib/dist/mo
 import { PackageContainer } from '@sofie-automation/shared-lib/dist/package-manager/package'
 import { PackageManagerPackageContainers } from '@sofie-automation/shared-lib/dist/package-manager/publications'
 import { check } from 'meteor/check'
-import { Meteor } from 'meteor/meteor'
 import { ReadonlyDeep } from 'type-fest'
-import { PeripheralDevices, Studios } from '../../collections'
+import { Studios } from '../../collections'
 import {
 	meteorCustomPublish,
 	SetupObserversResult,
@@ -20,7 +19,7 @@ import {
 	PeripheralDevicePubSubCollectionsNames,
 } from '@sofie-automation/shared-lib/dist/pubsub/peripheralDevice'
 import { applyAndValidateOverrides } from '@sofie-automation/corelib/dist/settings/objectWithOverrides'
-import { triggerWriteAccessBecauseNoCheckNecessary } from '../../security/securityVerify'
+import { checkAccessAndGetPeripheralDevice } from '../../security/check'
 
 type StudioFields = '_id' | 'packageContainersWithOverrides'
 const studioFieldSpecifier = literal<MongoFieldSpecifierOnesStrict<Pick<DBStudio, StudioFields>>>({
@@ -93,14 +92,10 @@ async function manipulateExpectedPackagesPublicationData(
 meteorCustomPublish(
 	PeripheralDevicePubSub.packageManagerPackageContainers,
 	PeripheralDevicePubSubCollectionsNames.packageManagerPackageContainers,
-	async function (pub, deviceId: PeripheralDeviceId, _token: string | undefined) {
+	async function (pub, deviceId: PeripheralDeviceId, token: string | undefined) {
 		check(deviceId, String)
 
-		triggerWriteAccessBecauseNoCheckNecessary()
-
-		const peripheralDevice = await PeripheralDevices.findOneAsync(deviceId)
-
-		if (!peripheralDevice) throw new Meteor.Error('PeripheralDevice "' + deviceId + '" not found')
+		const peripheralDevice = await checkAccessAndGetPeripheralDevice(deviceId, token, this)
 
 		const studioId = peripheralDevice.studioId
 		if (!studioId) {

meteor/server/publications/packageManager/playoutContext.ts

@@ -5,9 +5,8 @@ import { literal } from '@sofie-automation/corelib/dist/lib'
 import { MongoFieldSpecifierOnesStrict } from '@sofie-automation/corelib/dist/mongo'
 import { PackageManagerPlayoutContext } from '@sofie-automation/shared-lib/dist/package-manager/publications'
 import { check } from 'meteor/check'
-import { Meteor } from 'meteor/meteor'
 import { ReadonlyDeep } from 'type-fest'
-import { PeripheralDevices, RundownPlaylists, Rundowns } from '../../collections'
+import { RundownPlaylists, Rundowns } from '../../collections'
 import {
 	meteorCustomPublish,
 	SetupObserversResult,
@@ -19,7 +18,7 @@ import {
 	PeripheralDevicePubSub,
 	PeripheralDevicePubSubCollectionsNames,
 } from '@sofie-automation/shared-lib/dist/pubsub/peripheralDevice'
-import { triggerWriteAccessBecauseNoCheckNecessary } from '../../security/securityVerify'
+import { checkAccessAndGetPeripheralDevice } from '../../security/check'
 
 export type RundownPlaylistCompact = Pick<DBRundownPlaylist, '_id' | 'activationId' | 'rehearsal' | 'rundownIdsInOrder'>
 const rundownPlaylistFieldSpecifier = literal<MongoFieldSpecifierOnesStrict<RundownPlaylistCompact>>({
@@ -111,14 +110,10 @@ async function manipulateExpectedPackagesPublicationData(
 meteorCustomPublish(
 	PeripheralDevicePubSub.packageManagerPlayoutContext,
 	PeripheralDevicePubSubCollectionsNames.packageManagerPlayoutContext,
-	async function (pub, deviceId: PeripheralDeviceId, _token: string | undefined) {
+	async function (pub, deviceId: PeripheralDeviceId, token: string | undefined) {
 		check(deviceId, String)
 
-		triggerWriteAccessBecauseNoCheckNecessary()
-
-		const peripheralDevice = await PeripheralDevices.findOneAsync(deviceId)
-
-		if (!peripheralDevice) throw new Meteor.Error('PeripheralDevice "' + deviceId + '" not found')
+		const peripheralDevice = await checkAccessAndGetPeripheralDevice(deviceId, token, this)
 
 		const studioId = peripheralDevice.studioId
 		if (!studioId) {

meteor/server/publications/studio.ts

@@ -34,11 +34,11 @@ import {
 } from '@sofie-automation/shared-lib/dist/pubsub/peripheralDevice'
 import { triggerWriteAccessBecauseNoCheckNecessary } from '../security/securityVerify'
 import { checkAccessAndGetPeripheralDevice } from '../security/check'
+import { assertConnectionHasOneOfPermissions } from '../security/auth'
 
 meteorPublish(CorelibPubSub.studios, async function (studioIds: StudioId[] | null, _token: string | undefined) {
 	check(studioIds, Match.Maybe(Array))
 
-	// nocommit: this is wrong, and will leak secrets to readonly clients
 	triggerWriteAccessBecauseNoCheckNecessary()
 
 	// If values were provided, they must have values
@@ -134,7 +134,7 @@ meteorCustomPublish(
 	async function (pub, studioId: StudioId, _token: string | undefined) {
 		check(studioId, String)
 
-		triggerWriteAccessBecauseNoCheckNecessary()
+		assertConnectionHasOneOfPermissions(this.connection, 'testing')
 
 		await createObserverForMappingsPublication(pub, studioId)
 	}

meteor/server/publications/timeline.ts

@@ -36,11 +36,11 @@ import {
 	PeripheralDevicePubSubCollectionsNames,
 } from '@sofie-automation/shared-lib/dist/pubsub/peripheralDevice'
 import { applyAndValidateOverrides } from '@sofie-automation/corelib/dist/settings/objectWithOverrides'
-import { triggerWriteAccessBecauseNoCheckNecessary } from '../security/securityVerify'
 import { checkAccessAndGetPeripheralDevice } from '../security/check'
+import { assertConnectionHasOneOfPermissions } from '../security/auth'
 
 meteorPublish(CorelibPubSub.timelineDatastore, async function (studioId: StudioId, _token: string | undefined) {
-	triggerWriteAccessBecauseNoCheckNecessary()
+	assertConnectionHasOneOfPermissions(this.connection, 'testing')
 
 	if (!studioId) throw new Meteor.Error(400, 'selector argument missing')
 	const modifier: FindOptions<DBTimelineDatastoreEntry> = {
@@ -86,7 +86,7 @@ meteorCustomPublish(
 	MeteorPubSub.timelineForStudio,
 	PeripheralDevicePubSubCollectionsNames.studioTimeline,
 	async function (pub, studioId: StudioId, _token: string | undefined) {
-		triggerWriteAccessBecauseNoCheckNecessary()
+		assertConnectionHasOneOfPermissions(this.connection, 'testing')
 
 		await createObserverForTimelinePublication(pub, studioId)
 	}