From 6d4d643fd9a000886842a3fd97bf72dc8644e045 Mon Sep 17 00:00:00 2001
From: Jakob Ackermann <jakob.ackermann@overleaf.com>
Date: Mon, 5 Jun 2023 11:18:00 +0100
Subject: [PATCH] Merge pull request #13325 from overleaf/jpa-real-time-check

[real-time] add check for project admin

GitOrigin-RevId: 1677b78cf7f263fc98ca539e26e21553d0ea55bd
---
 .../real-time/app/js/WebsocketLoadBalancer.js | 27 +++++++++++++++++--
 .../test/acceptance/js/JoinProjectTests.js    |  1 +
 .../acceptance/js/ReceiveEditorEventTests.js  | 27 +++++++++++++++++++
 .../acceptance/js/helpers/MockWebServer.js    |  5 ++++
 4 files changed, 58 insertions(+), 2 deletions(-)

diff --git a/services/real-time/app/js/WebsocketLoadBalancer.js b/services/real-time/app/js/WebsocketLoadBalancer.js
index 294fe294a0..0e9ea62adf 100644
--- a/services/real-time/app/js/WebsocketLoadBalancer.js
+++ b/services/real-time/app/js/WebsocketLoadBalancer.js
@@ -179,9 +179,32 @@ module.exports = WebsocketLoadBalancer = {
               client.emit('project:access:revoked')
               client.disconnect()
             } else {
-              if (
-                !(isRestrictedMessage && client.ol_context.is_restricted_user)
+              if (isRestrictedMessage && client.ol_context.is_restricted_user) {
+                // hide restricted message
+                logger.debug(
+                  {
+                    message,
+                    clientId: client.id,
+                    userId: client.ol_context.user_id,
+                    projectId: client.ol_context.project_id,
+                  },
+                  'hiding restricted message from client'
+                )
+              } else if (
+                message.message === 'project:tokens:changed' &&
+                client.ol_context.owner_id !== client.ol_context.user_id
               ) {
+                // hide owner only message
+                logger.debug(
+                  {
+                    message,
+                    clientId: client.id,
+                    userId: client.ol_context.user_id,
+                    projectId: client.ol_context.project_id,
+                  },
+                  'hiding owner only message from client'
+                )
+              } else {
                 client.emit(message.message, ...message.payload)
               }
             }
diff --git a/services/real-time/test/acceptance/js/JoinProjectTests.js b/services/real-time/test/acceptance/js/JoinProjectTests.js
index 2cc8fe773b..0dbe7e6673 100644
--- a/services/real-time/test/acceptance/js/JoinProjectTests.js
+++ b/services/real-time/test/acceptance/js/JoinProjectTests.js
@@ -66,6 +66,7 @@ describe('joinProject', function () {
     it('should return the project', function () {
       return this.project.should.deep.equal({
         name: 'Test Project',
+        owner: { _id: this.user_id },
       })
     })
 
diff --git a/services/real-time/test/acceptance/js/ReceiveEditorEventTests.js b/services/real-time/test/acceptance/js/ReceiveEditorEventTests.js
index f44f29719f..b815ff53ba 100644
--- a/services/real-time/test/acceptance/js/ReceiveEditorEventTests.js
+++ b/services/real-time/test/acceptance/js/ReceiveEditorEventTests.js
@@ -234,6 +234,7 @@ describe('receiveEditorEvent', function () {
             'userRemovedFromProject',
             'project:publicAccessLevel:changed',
             'project:access:revoked',
+            'project:tokens:changed',
           ]
 
           for (const eventName of eventNames) {
@@ -273,6 +274,32 @@ describe('receiveEditorEvent', function () {
     }
   })
 
+  describe('event: project:tokens:changed', function () {
+    beforeEach(function (done) {
+      rclient.publish(
+        'editor-events',
+        JSON.stringify({
+          room_id: this.project_id,
+          message: 'project:tokens:changed',
+          payload: [{ tokens: 'TOKENS' }],
+        })
+      )
+      setTimeout(done, 200)
+    })
+
+    it('should send the event to the owner', function () {
+      expect(this.owner_updates).to.deep.equal([
+        { 'project:tokens:changed': { tokens: 'TOKENS' } },
+      ])
+    })
+
+    it('should not send the event to the other clients', function () {
+      expect(this.user_a_updates).to.deep.equal([])
+      expect(this.user_b_updates).to.deep.equal([])
+      expect(this.user_c_updates).to.deep.equal([])
+    })
+  })
+
   describe('event: project:publicAccessLevel:changed, set to private', function () {
     beforeEach(function (done) {
       /**
diff --git a/services/real-time/test/acceptance/js/helpers/MockWebServer.js b/services/real-time/test/acceptance/js/helpers/MockWebServer.js
index 0cc4420a4c..0994ad71d9 100644
--- a/services/real-time/test/acceptance/js/helpers/MockWebServer.js
+++ b/services/real-time/test/acceptance/js/helpers/MockWebServer.js
@@ -33,6 +33,11 @@ module.exports = MockWebServer = {
       MockWebServer.privileges[projectId][userId] ||
       MockWebServer.privileges[projectId]['anonymous-user']
     const userMetadata = MockWebServer.userMetadata[projectId]?.[userId]
+    if (privilegeLevel === 'owner') {
+      project.owner = { _id: userId }
+    } else {
+      project.owner = { _id: '404404404404404404404404' }
+    }
     return callback(null, project, privilegeLevel, userMetadata)
   },