fix(join meeting): Moderator are authorized to start the meeting (#5183)

9f2441bd · Samuel Couillard · GitHub · adcd12c4 · 9f2441bd · 9f2441bd
Unverified Commit 9f2441bd authored May 15, 2023 by Samuel Couillard Committed by GitHub May 15, 2023
--- a/app/controllers/api/v1/meetings_controller.rb
+++ b/app/controllers/api/v1/meetings_controller.rb
@@ -54,7 +54,7 @@ module Api
          settings: %w[glRequireAuthentication glViewerAccessCode glModeratorAccessCode glAnyoneCanStart glAnyoneJoinAsModerator]
        ).call

-        return render_error status: :unauthorized if !current_user && settings['glRequireAuthentication'] == 'true'
+        return render_error status: :unauthorized if unauthorized_access?(settings)

        bbb_role = infer_bbb_role(mod_code: settings['glModeratorAccessCode'],
                                  viewer_code: settings['glViewerAccessCode'],
@@ -66,7 +66,8 @@ module Api
          status: BigBlueButtonApi.new(provider: current_provider).meeting_running?(room: @room)
        }

-        if !data[:status] && settings['glAnyoneCanStart'] == 'true' # Meeting isnt running and anyoneCanStart setting is enabled
+        # Starts meeting if meeting is not running and glAnyoneCanStart is enabled or user is a moderator
+        if !data[:status] && authorized_to_start_meeting?(settings, bbb_role)
          begin
            MeetingStarter.new(room: @room, base_url: request.base_url, current_user:, provider: current_provider).call
          rescue BigBlueButton::BigBlueButtonException => e
@@ -122,6 +123,14 @@ module Api
          (anyone_join_as_mod && (access_code_validator(access_code: mod_code) || access_code_validator(access_code: viewer_code)))
      end

+      def authorized_to_start_meeting?(settings, bbb_role)
+        settings['glAnyoneCanStart'] == 'true' || bbb_role == 'Moderator'
+      end
+
+      def unauthorized_access?(settings)
+        !current_user && settings['glRequireAuthentication'] == 'true'
+      end
+
      def access_code_validator(access_code:)
        access_code.present? && params[:access_code].present? && access_code == params[:access_code]
      end

--- a/spec/controllers/meetings_controller_spec.rb
+++ b/spec/controllers/meetings_controller_spec.rb
@@ -149,11 +149,12 @@ RSpec.describe Api::V1::MeetingsController, type: :controller do
      expect(JSON.parse(response.body)['data']).to eq({ 'joinUrl' => 'JOIN_URL', 'status' => true })
    end

-    it 'returns status false if the meeting is NOT running' do
+    it 'returns status false if the meeting is NOT running and the user is NOT authorized to start the meeting' do
      allow_any_instance_of(BigBlueButtonApi).to receive(:meeting_running?).and_return(false)
      expect_any_instance_of(BigBlueButtonApi).not_to receive(:join_meeting)

-      post :status, params: { friendly_id: room.friendly_id, name: user.name }
+      post :status, params: { friendly_id: test_room.friendly_id, name: user.name }
+
      expect(response).to have_http_status(:ok)
      expect(JSON.parse(response.body)['data']).to eq({ 'status' => false })
    end
@@ -184,6 +185,16 @@ RSpec.describe Api::V1::MeetingsController, type: :controller do
      post :status, params: { friendly_id: test_room.friendly_id, name: user.name }
    end

+    it 'starts the meeting if the user is a moderator' do
+      allow_any_instance_of(BigBlueButtonApi).to receive(:meeting_running?).and_return(false)
+      expect_any_instance_of(MeetingStarter).to receive(:call)
+
+      post :status, params: { friendly_id: room.friendly_id, name: user.name }
+
+      expect(response).to have_http_status(:ok)
+      expect(JSON.parse(response.body)['data']).to eq({ 'joinUrl' => 'JOIN_URL', 'status' => true })
+    end
+
    context 'user is joining a shared room' do
      before do
        guest_user.shared_rooms << room