Reject publishing with insufficient permissions present (#1418)

Author: lukasIO

.changeset/smart-countries-deny.md

@@ -0,0 +1,5 @@
+---
+"livekit-client": patch
+---
+
+Reject publishing with insufficient permissions present

src/room/errors.ts

@@ -84,6 +84,16 @@ export class PublishDataError extends LivekitError {
   }
 }
 
+export class PublishTrackError extends LivekitError {
+  status: number;
+
+  constructor(message: string, status: number) {
+    super(15, message);
+    this.name = 'PublishTrackError';
+    this.status = status;
+  }
+}
+
 export type RequestErrorReason =
   | Exclude<RequestResponse_Reason, RequestResponse_Reason.OK>
   | 'TimeoutError';

src/room/participant/LocalParticipant.ts

@@ -34,6 +34,7 @@ import { defaultVideoCodec } from '../defaults';
 import {
   DeviceUnsupportedError,
   LivekitError,
+  PublishTrackError,
   SignalRequestError,
   TrackInvalidError,
   UnexpectedConnectionState,
@@ -64,6 +65,7 @@ import {
   constraintsForOptions,
   extractProcessorsFromOptions,
   getLogContextFromTrack,
+  getTrackSourceFromProto,
   mergeDefaultOptions,
   mimeTypeToVideoCodecString,
   screenCaptureToDisplayMediaStreamOptions,
@@ -871,7 +873,29 @@ export default class LocalParticipant extends Participant {
     }
   }
 
+  private hasPermissionsToPublish(track: LocalTrack): boolean {
+    if (!this.permissions) {
+      return false;
+    }
+    const { canPublish, canPublishSources } = this.permissions;
+    if (
+      !canPublish ||
+      (canPublishSources &&
+        !canPublishSources.map((source) => getTrackSourceFromProto(source)).includes(track.source))
+    ) {
+      this.log.error('insufficient permissions to publish', {
+        ...this.logContext,
+        ...getLogContextFromTrack(track),
+      });
+      return false;
+    }
+    return true;
+  }
+
   private async publish(track: LocalTrack, opts: TrackPublishOptions, isStereo: boolean) {
+    if (!this.hasPermissionsToPublish(track)) {
+      throw new PublishTrackError('failed to publish track, insufficient permissions', 403);
+    }
     const existingTrackOfSource = Array.from(this.trackPublications.values()).find(
       (publishedTrack) => isLocalTrack(track) && publishedTrack.source === track.source,
     );

src/room/track/utils.ts

@@ -1,4 +1,4 @@
-import { TrackPublishedResponse } from '@livekit/protocol';
+import { TrackPublishedResponse, TrackSource } from '@livekit/protocol';
 import type { AudioProcessorOptions, TrackProcessor, VideoProcessorOptions } from '../..';
 import { cloneDeep } from '../../utils/cloneDeep';
 import { isSafari, sleep } from '../utils';
@@ -294,3 +294,18 @@ export function extractProcessorsFromOptions(options: CreateLocalTracksOptions)
 
   return { audioProcessor, videoProcessor, optionsWithoutProcessor: newOptions };
 }
+
+export function getTrackSourceFromProto(source: TrackSource): Track.Source {
+  switch (source) {
+    case TrackSource.CAMERA:
+      return Track.Source.Camera;
+    case TrackSource.MICROPHONE:
+      return Track.Source.Microphone;
+    case TrackSource.SCREEN_SHARE:
+      return Track.Source.ScreenShare;
+    case TrackSource.SCREEN_SHARE_AUDIO:
+      return Track.Source.ScreenShareAudio;
+    default:
+      return Track.Source.Unknown;
+  }
+}