From 0f556bfad45acc083d1625861be37e7527dd49f7 Mon Sep 17 00:00:00 2001 From: Seth Call Date: Wed, 11 Jun 2025 22:00:42 -0500 Subject: [PATCH] Only allow stopping a recording if you are the owner --- ruby/lib/jam_ruby/models/active_music_session.rb | 4 ++++ ruby/lib/jam_ruby/models/recording.rb | 7 ++++++- web/app/controllers/api_recordings_controller.rb | 5 +++++ web/config/application.rb | 1 + web/config/initializers/gon.rb | 1 + 5 files changed, 17 insertions(+), 1 deletion(-) diff --git a/ruby/lib/jam_ruby/models/active_music_session.rb b/ruby/lib/jam_ruby/models/active_music_session.rb index c909156fe..16260f839 100644 --- a/ruby/lib/jam_ruby/models/active_music_session.rb +++ b/ruby/lib/jam_ruby/models/active_music_session.rb @@ -863,6 +863,10 @@ module JamRuby self.save!(:validate => false) end + def in_session?(user) + self.users.exists?(user.id) + end + def connected_participant_count Connection.where(:music_session_id => self.id, :aasm_state => Connection::CONNECT_STATE.to_s, diff --git a/ruby/lib/jam_ruby/models/recording.rb b/ruby/lib/jam_ruby/models/recording.rb index 926144983..7a29f29a0 100644 --- a/ruby/lib/jam_ruby/models/recording.rb +++ b/ruby/lib/jam_ruby/models/recording.rb @@ -75,6 +75,11 @@ module JamRuby has_stream_mix end + def can_stop?(user) + # only allow the starting-user to create (ideally, perhaps, only the client that did it) + user == owner + end + # this should be a has-one relationship. until this, this is easiest way to get from recording > mix def mix self.mixes[0] if self.mixes.length > 0 @@ -214,7 +219,7 @@ module JamRuby def has_access?(user) return false if user.nil? - users.exists?(user.id) || attached_with_lesson(user) #|| plays.where("player_id=?", user).count != 0 + users.exists?(user.id) || attached_with_lesson(user) || (music_session && music_session.in_session?(user)) end def attached_with_lesson(user) diff --git a/web/app/controllers/api_recordings_controller.rb b/web/app/controllers/api_recordings_controller.rb index 3564e514e..74b8dc424 100644 --- a/web/app/controllers/api_recordings_controller.rb +++ b/web/app/controllers/api_recordings_controller.rb @@ -187,6 +187,11 @@ class ApiRecordingsController < ApiController def stop + # only allow the creator to stop the recording + if @recording.can_stop?(current_user) == false + raise JamPermissionError, ValidationMessages::PERMISSION_VALIDATION_ERROR + end + @recording.stop if @recording.errors.any? diff --git a/web/config/application.rb b/web/config/application.rb index 033060c28..6de2590b1 100644 --- a/web/config/application.rb +++ b/web/config/application.rb @@ -386,6 +386,7 @@ if defined?(Bundler) config.video_available = "full" config.alerts_api_enabled = true + config.show_recording_debug_status = false config.gear_check_ignore_high_latency = false config.remove_whitespace_credit_card = false config.estimate_taxes = true diff --git a/web/config/initializers/gon.rb b/web/config/initializers/gon.rb index cbf6ec62e..6f675776f 100644 --- a/web/config/initializers/gon.rb +++ b/web/config/initializers/gon.rb @@ -31,5 +31,6 @@ Gon.global.braintree_token = Rails.application.config.braintree_token Gon.global.paypal_admin_only = Rails.application.config.paypal_admin_only Gon.global.use_video_conferencing_server = Rails.application.config.use_video_conferencing_server Gon.global.manual_override_installer_ends_with = Rails.application.config.manual_override_installer_ends_with +Gon.global.show_recording_debug_status = Rails.application.config.show_recording_debug_status Gon.global.env = Rails.env Gon.global.version = ::JamWeb::VERSION