From df6cd4a0544520b413536d26f63fff0049317dbb Mon Sep 17 00:00:00 2001
From: Shane Kilkelly <shane.kilkelly@overleaf.com>
Date: Fri, 4 Oct 2019 13:41:49 +0100
Subject: [PATCH] Also block getConnectedUsers for restricted users.

Plus refactor to use a pass list instead of a deny list.
---
 .../app/coffee/WebsocketController.coffee          |  5 ++++-
 .../app/coffee/WebsocketLoadBalancer.coffee        | 13 ++++++++++++-
 .../unit/coffee/WebsocketControllerTests.coffee    | 14 ++++++++++++++
 .../unit/coffee/WebsocketLoadBalancerTests.coffee  |  2 +-
 4 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/services/real-time/app/coffee/WebsocketController.coffee b/services/real-time/app/coffee/WebsocketController.coffee
index bc46ce12e0..d0ca99cc5c 100644
--- a/services/real-time/app/coffee/WebsocketController.coffee
+++ b/services/real-time/app/coffee/WebsocketController.coffee
@@ -178,8 +178,11 @@ module.exports = WebsocketController =
 	CLIENT_REFRESH_DELAY: 1000
 	getConnectedUsers: (client, callback = (error, users) ->) ->
 		metrics.inc "editor.get-connected-users"
-		Utils.getClientAttributes client, ["project_id", "user_id"], (error, {project_id, user_id}) ->
+		Utils.getClientAttributes client, ["project_id", "user_id", "is_restricted_user"], (error, clientAttributes) ->
 			return callback(error) if error?
+			{project_id, user_id, is_restricted_user} = clientAttributes
+			if is_restricted_user
+				return callback(null, [])
 			return callback(new Error("no project_id found on client")) if !project_id?
 			logger.log {user_id, project_id, client_id: client.id}, "getting connected users"
 			AuthorizationManager.assertClientCanViewProject client, (error) ->
diff --git a/services/real-time/app/coffee/WebsocketLoadBalancer.coffee b/services/real-time/app/coffee/WebsocketLoadBalancer.coffee
index 21e6235505..ba69d79beb 100644
--- a/services/real-time/app/coffee/WebsocketLoadBalancer.coffee
+++ b/services/real-time/app/coffee/WebsocketLoadBalancer.coffee
@@ -10,6 +10,17 @@ ConnectedUsersManager = require "./ConnectedUsersManager"
 Utils = require './Utils'
 Async = require 'async'
 
+RESTRICTED_USER_MESSAGE_TYPE_PASS_LIST = [
+	'connectionAccepted',
+	'otUpdateApplied',
+	'otUpdateError',
+	'joinDoc',
+	'reciveNewDoc',
+	'reciveNewFile',
+	'reciveNewFolder',
+	'removeEntity'
+]
+
 module.exports = WebsocketLoadBalancer =
 	rclientPubList: RedisClientManager.createClientList(Settings.redis.pubsub)
 	rclientSubList: RedisClientManager.createClientList(Settings.redis.pubsub)
@@ -86,7 +97,7 @@ module.exports = WebsocketLoadBalancer =
 							return cb(err) if err?
 							if !seen[client.id]
 								seen[client.id] = true
-								if !(is_restricted_user && message.message in ['new-chat-message', 'new-comment'])
+								if !(is_restricted_user && message.message not in RESTRICTED_USER_MESSAGE_TYPE_PASS_LIST)
 									client.emit(message.message, message.payload...)
 							cb()
 					, (err) ->
diff --git a/services/real-time/test/unit/coffee/WebsocketControllerTests.coffee b/services/real-time/test/unit/coffee/WebsocketControllerTests.coffee
index ab5a503716..116485384d 100644
--- a/services/real-time/test/unit/coffee/WebsocketControllerTests.coffee
+++ b/services/real-time/test/unit/coffee/WebsocketControllerTests.coffee
@@ -403,6 +403,20 @@ describe 'WebsocketController', ->
 			it "should return an error", ->
 				@callback.calledWith(@err).should.equal true
 
+		describe "when restricted user", ->
+			beforeEach ->
+				@client.params.is_restricted_user = true
+				@AuthorizationManager.assertClientCanViewProject = sinon.stub().callsArgWith(1, null)
+				@WebsocketController.getConnectedUsers @client, @callback
+
+			it "should return an empty array of users", ->
+				@callback.calledWith(null, []).should.equal true
+
+			it "should not get the connected users for the project", ->
+				@ConnectedUsersManager.getConnectedUsers
+					.called
+					.should.equal false
+
 	describe "updateClientPosition", ->
 		beforeEach ->
 			@WebsocketLoadBalancer.emitToRoom = sinon.stub()
diff --git a/services/real-time/test/unit/coffee/WebsocketLoadBalancerTests.coffee b/services/real-time/test/unit/coffee/WebsocketLoadBalancerTests.coffee
index a1906ab72c..e6fe1df8c9 100644
--- a/services/real-time/test/unit/coffee/WebsocketLoadBalancerTests.coffee
+++ b/services/real-time/test/unit/coffee/WebsocketLoadBalancerTests.coffee
@@ -32,7 +32,7 @@ describe "WebsocketLoadBalancer", ->
 		}]
 
 		@room_id = "room-id"
-		@message = "message-to-editor"
+		@message = "otUpdateApplied"
 		@payload = ["argument one", 42]
 
 	describe "emitToRoom", ->