Archive/screentinker
1
0
Fork 0
mirror of https://github.com/screentinker/screentinker.git synced 2026-05-15 07:32:23 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

Phase 2.2l: video-walls.js scoped to workspace_id; fixes 4 pre-existing cross-tenant leaks (POST playlist_id, PUT playlist/content/leader_device, PUT /devices, PUT /content); drops dead admin/team_members code paths left over from Phase 2.1 role rename; team_id column noted for future cleanup

Browse source
This commit is contained in:
ScreenTinker 2026-05-11 22:56:08 -05:00
parent 52e68ac490
commit b6c90d3421
1 changed files with 109 additions and 95 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

204
server/routes/video-walls.js
View file

@ -2,50 +2,44 @@ const express = require('express');
const router = express.Router(); const router = express.Router();
const { v4: uuidv4 } = require('uuid'); const { v4: uuidv4 } = require('uuid');
const { db } = require('../db/database'); const { db } = require('../db/database');
const { PLATFORM_ROLES } = require('../middleware/auth'); // Phase 2.2l: workspace-aware access. Drops the previous listVisibleWalls /
// userCanAccessWall helpers - the admin/team_members branches there were
// dead code after the Phase 2.1 role rename (no users carry role='admin'
// anymore; team_members is a vestigial table from the pre-workspace model).
const { accessContext } = require('../lib/tenancy');
// Visibility model (matches widgets/users): // Load a wall + access context. Returns the wall row or null after sending
// superadmin: all walls // 403/404. requireWrite=true also denies workspace_viewer.
// admin: own + walls owned by members of teams this admin owns function loadWallAccess(req, res, requireWrite) {
// user: own only const wall = db.prepare('SELECT * FROM video_walls WHERE id = ?').get(req.params.id);
function listVisibleWalls(user) { if (!wall) { res.status(404).json({ error: 'Wall not found' }); return null; }
if (PLATFORM_ROLES.includes(user.role)) { if (!wall.workspace_id) { res.status(403).json({ error: 'Wall not assigned to a workspace' }); return null; }
return db.prepare('SELECT * FROM video_walls ORDER BY created_at DESC').all(); const ws = db.prepare('SELECT * FROM workspaces WHERE id = ?').get(wall.workspace_id);
const ctx = ws && accessContext(req.user.id, req.user.role, ws);
if (!ctx) { res.status(403).json({ error: 'Access denied' }); return null; }
if (requireWrite && !ctx.actingAs && ctx.workspaceRole === 'workspace_viewer') {
res.status(403).json({ error: 'Read-only access' }); return null;
} }
if (user.role === 'admin') { req.wall = wall;
return db.prepare(` req.wallCtx = ctx;
SELECT DISTINCT w.* FROM video_walls w return wall;
LEFT JOIN team_members tm_target ON w.user_id = tm_target.user_id
LEFT JOIN team_members tm_admin
ON tm_admin.team_id = tm_target.team_id
AND tm_admin.user_id = ?
AND tm_admin.role = 'owner'
WHERE w.user_id = ?
OR tm_admin.team_id IS NOT NULL
ORDER BY w.created_at DESC
`).all(user.id, user.id);
}
return db.prepare('SELECT * FROM video_walls WHERE user_id = ? ORDER BY created_at DESC').all(user.id);
} }
function userCanAccessWall(user, wall) { function requireWallRead(req, res, next) {
if (PLATFORM_ROLES.includes(user.role)) return true; if (!loadWallAccess(req, res, false)) return;
if (wall.user_id === user.id) return true; next();
if (user.role === 'admin') {
const ownsTeamWithOwner = db.prepare(`
SELECT 1 FROM team_members tm_target
JOIN team_members tm_admin ON tm_admin.team_id = tm_target.team_id
WHERE tm_target.user_id = ? AND tm_admin.user_id = ? AND tm_admin.role = 'owner'
LIMIT 1
`).get(wall.user_id, user.id);
if (ownsTeamWithOwner) return true;
}
return false;
} }
// List walls (with attached devices) function requireWallWrite(req, res, next) {
if (!loadWallAccess(req, res, true)) return;
next();
}
// List walls (with attached devices). Phase 2.2l: scoped to caller's
// current workspace.
router.get('/', (req, res) => { router.get('/', (req, res) => {
const walls = listVisibleWalls(req.user); if (!req.workspaceId) return res.json([]);
const walls = db.prepare('SELECT * FROM video_walls WHERE workspace_id = ? ORDER BY created_at DESC').all(req.workspaceId);
const devStmt = db.prepare(` const devStmt = db.prepare(`
SELECT vwd.*, d.name as device_name, d.status as device_status SELECT vwd.*, d.name as device_name, d.status as device_status
@ -59,15 +53,6 @@ router.get('/', (req, res) => {
res.json(walls); res.json(walls);
}); });
function checkWallAccess(req, res) {
const wall = db.prepare('SELECT * FROM video_walls WHERE id = ?').get(req.params.id);
if (!wall) { res.status(404).json({ error: 'Wall not found' }); return null; }
if (!userCanAccessWall(req.user, wall)) {
res.status(403).json({ error: 'Access denied' }); return null;
}
return wall;
}
// Notify dashboard clients to re-fetch walls/devices. Re-fetches re-apply // Notify dashboard clients to re-fetch walls/devices. Re-fetches re-apply
// per-user visibility filtering, so a broadcast is safe. // per-user visibility filtering, so a broadcast is safe.
function notifyDashboards(req) { function notifyDashboards(req) {
@ -105,22 +90,38 @@ function pushToWallMembers(req, wallId) {
} }
// Get wall with devices // Get wall with devices
router.get('/:id', (req, res) => { router.get('/:id', requireWallRead, (req, res) => {
const wall = checkWallAccess(req, res); res.json(loadWallWithDevices(req.wall.id));
if (!wall) return;
res.json(loadWallWithDevices(wall.id));
}); });
// Create wall // Create wall. Phase 2.2l: stamps workspace_id; closes pre-existing leak
// where playlist_id was accepted with NO cross-tenant check (caller could
// embed a foreign workspace's playlist into a wall they create).
router.post('/', (req, res) => { router.post('/', (req, res) => {
if (!req.workspaceId) return res.status(400).json({ error: 'No active workspace' });
const ws = db.prepare('SELECT * FROM workspaces WHERE id = ?').get(req.workspaceId);
const ctx = ws && accessContext(req.user.id, req.user.role, ws);
if (!ctx) return res.status(403).json({ error: 'Access denied' });
if (!ctx.actingAs && ctx.workspaceRole === 'workspace_viewer') {
return res.status(403).json({ error: 'Read-only access' });
}
const { name, grid_cols, grid_rows, bezel_h_mm, bezel_v_mm, playlist_id } = req.body; const { name, grid_cols, grid_rows, bezel_h_mm, bezel_v_mm, playlist_id } = req.body;
if (!name) return res.status(400).json({ error: 'name required' }); if (!name) return res.status(400).json({ error: 'name required' });
if (playlist_id) {
const pl = db.prepare('SELECT workspace_id FROM playlists WHERE id = ?').get(playlist_id);
if (!pl) return res.status(404).json({ error: 'Playlist not found' });
if (pl.workspace_id !== req.workspaceId) {
return res.status(403).json({ error: 'Playlist is not in this workspace' });
}
}
const id = uuidv4(); const id = uuidv4();
db.prepare(` db.prepare(`
INSERT INTO video_walls (id, user_id, name, grid_cols, grid_rows, bezel_h_mm, bezel_v_mm, playlist_id) INSERT INTO video_walls (id, user_id, workspace_id, name, grid_cols, grid_rows, bezel_h_mm, bezel_v_mm, playlist_id)
VALUES (?, ?, ?, ?, ?, ?, ?, ?) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
`).run(id, req.user.id, name, grid_cols || 2, grid_rows || 1, `).run(id, req.user.id, req.workspaceId, name, grid_cols || 2, grid_rows || 1,
bezel_h_mm || 0, bezel_v_mm || 0, playlist_id || null); bezel_h_mm || 0, bezel_v_mm || 0, playlist_id || null);
const wall = loadWallWithDevices(id); const wall = loadWallWithDevices(id);
@ -128,10 +129,33 @@ router.post('/', (req, res) => {
res.status(201).json(wall); res.status(201).json(wall);
}); });
// Update wall (name, grid, bezels, playlist, leader, sync_mode) // Update wall (name, grid, bezels, playlist, leader, sync_mode). Phase 2.2l:
router.put('/:id', (req, res) => { // closes pre-existing leaks where playlist_id / content_id / leader_device_id
const wall = checkWallAccess(req, res); // were accepted without any cross-tenant check.
if (!wall) return; router.put('/:id', requireWallWrite, (req, res) => {
const wall = req.wall;
if (req.body.playlist_id) {
const pl = db.prepare('SELECT workspace_id FROM playlists WHERE id = ?').get(req.body.playlist_id);
if (!pl) return res.status(404).json({ error: 'Playlist not found' });
if (pl.workspace_id !== wall.workspace_id) {
return res.status(403).json({ error: 'Playlist is not in this workspace' });
}
}
if (req.body.content_id) {
const c = db.prepare('SELECT workspace_id FROM content WHERE id = ?').get(req.body.content_id);
if (!c) return res.status(404).json({ error: 'Content not found' });
if (c.workspace_id && c.workspace_id !== wall.workspace_id) {
return res.status(403).json({ error: 'Content is not in this workspace' });
}
}
if (req.body.leader_device_id) {
const d = db.prepare('SELECT workspace_id FROM devices WHERE id = ?').get(req.body.leader_device_id);
if (!d) return res.status(404).json({ error: 'Leader device not found' });
if (d.workspace_id !== wall.workspace_id) {
return res.status(403).json({ error: 'Leader device is not in this workspace' });
}
}
const fields = ['name', 'grid_cols', 'grid_rows', 'bezel_h_mm', 'bezel_v_mm', const fields = ['name', 'grid_cols', 'grid_rows', 'bezel_h_mm', 'bezel_v_mm',
'screen_w_mm', 'screen_h_mm', 'sync_mode', 'leader_device_id', 'content_id', 'playlist_id', 'screen_w_mm', 'screen_h_mm', 'sync_mode', 'leader_device_id', 'content_id', 'playlist_id',
@ -163,10 +187,7 @@ router.put('/:id', (req, res) => {
// Delete wall — clear playlists + wall_id on every former member (matches // Delete wall — clear playlists + wall_id on every former member (matches
// group-dissolve semantics: leaving the wall returns devices to ungrouped). // group-dissolve semantics: leaving the wall returns devices to ungrouped).
router.delete('/:id', (req, res) => { router.delete('/:id', requireWallWrite, (req, res) => {
const wall = checkWallAccess(req, res);
if (!wall) return;
const members = db.prepare('SELECT device_id FROM video_wall_devices WHERE wall_id = ?').all(req.params.id); const members = db.prepare('SELECT device_id FROM video_wall_devices WHERE wall_id = ?').all(req.params.id);
const tx = db.transaction(() => { const tx = db.transaction(() => {
db.prepare("UPDATE devices SET wall_id = NULL, playlist_id = NULL WHERE wall_id = ?").run(req.params.id); db.prepare("UPDATE devices SET wall_id = NULL, playlist_id = NULL WHERE wall_id = ?").run(req.params.id);
@ -185,35 +206,21 @@ router.delete('/:id', (req, res) => {
// Set device grid positions. Replaces the entire member set. // Set device grid positions. Replaces the entire member set.
// Devices removed lose their playlist (returned to ungrouped); devices added // Devices removed lose their playlist (returned to ungrouped); devices added
// inherit the wall's playlist. // inherit the wall's playlist.
router.put('/:id/devices', (req, res) => { // Phase 2.2l: closes pre-existing leak. Old per-device check ran through
// team_members (legacy table) and role==='admin' (dead since Phase 2.1) -
// effectively only the device.user_id direct-ownership branch was active,
// missing the workspace dimension. Now: every device must be in the wall's
// workspace.
router.put('/:id/devices', requireWallWrite, (req, res) => {
const { devices } = req.body; const { devices } = req.body;
if (!Array.isArray(devices)) return res.status(400).json({ error: 'devices array required' }); if (!Array.isArray(devices)) return res.status(400).json({ error: 'devices array required' });
const wall = checkWallAccess(req, res); const wall = req.wall;
if (!wall) return; for (const d of devices) {
const dev = db.prepare('SELECT workspace_id FROM devices WHERE id = ?').get(d.device_id);
// Verify caller owns (or has team access to) every device they're adding. if (!dev) return res.status(404).json({ error: `Device ${d.device_id} not found` });
// Without this a user could attach another tenant's devices to their own if (dev.workspace_id !== wall.workspace_id) {
// wall and silently take over the playlist + wall_id on those rows. return res.status(403).json({ error: `Device ${d.device_id} is not in this workspace` });
// Mirrors the per-device check in device-groups.js.
if (!PLATFORM_ROLES.includes(req.user.role)) {
const isAdmin = req.user.role === 'admin';
for (const d of devices) {
const dev = db.prepare('SELECT user_id, team_id FROM devices WHERE id = ?').get(d.device_id);
if (!dev) return res.status(404).json({ error: `Device ${d.device_id} not found` });
if (dev.user_id === req.user.id) continue;
if (isAdmin && dev.user_id) {
// Admin may attach team members' devices: dev's owner must be in a team this admin owns
const ownsTeamWithOwner = db.prepare(`
SELECT 1 FROM team_members tm_target
JOIN team_members tm_admin ON tm_admin.team_id = tm_target.team_id
WHERE tm_target.user_id = ? AND tm_admin.user_id = ? AND tm_admin.role = 'owner'
LIMIT 1
`).get(dev.user_id, req.user.id);
if (ownsTeamWithOwner) continue;
}
// Non-admin: must own the device directly
return res.status(403).json({ error: `Access denied to device ${d.device_id}` });
} }
} }
@ -274,20 +281,27 @@ router.put('/:id/devices', (req, res) => {
res.json(loadWallWithDevices(req.params.id)); res.json(loadWallWithDevices(req.params.id));
}); });
// Set wall content (legacy single-video path — kept for back-compat) // Set wall content (legacy single-video path — kept for back-compat).
router.put('/:id/content', (req, res) => { // Phase 2.2l: closes pre-existing leak where content_id was accepted with
const wall = checkWallAccess(req, res); // NO cross-tenant check.
if (!wall) return; router.put('/:id/content', requireWallWrite, (req, res) => {
const wall = req.wall;
const { content_id } = req.body; const { content_id } = req.body;
if (content_id) {
const c = db.prepare('SELECT workspace_id FROM content WHERE id = ?').get(content_id);
if (!c) return res.status(404).json({ error: 'Content not found' });
if (c.workspace_id && c.workspace_id !== wall.workspace_id) {
return res.status(403).json({ error: 'Content is not in this workspace' });
}
}
db.prepare("UPDATE video_walls SET content_id = ?, updated_at = strftime('%s','now') WHERE id = ?") db.prepare("UPDATE video_walls SET content_id = ?, updated_at = strftime('%s','now') WHERE id = ?")
.run(content_id || null, req.params.id); .run(content_id || null, req.params.id);
res.json({ success: true }); res.json({ success: true });
}); });
// Get wall config for a specific device (legacy fetch path) // Get wall config for a specific device (legacy fetch path)
router.get('/:id/device-config/:deviceId', (req, res) => { router.get('/:id/device-config/:deviceId', requireWallRead, (req, res) => {
const wall = checkWallAccess(req, res); const wall = req.wall;
if (!wall) return;
const position = db.prepare('SELECT * FROM video_wall_devices WHERE wall_id = ? AND device_id = ?') const position = db.prepare('SELECT * FROM video_wall_devices WHERE wall_id = ? AND device_id = ?')
.get(req.params.id, req.params.deviceId); .get(req.params.id, req.params.deviceId);