From bb284f7cf3a3336a9c79714f1539f02e2e02b5f4 Mon Sep 17 00:00:00 2001
From: Miroslav Pejic <miroslav.pejic.85@gmail.com>
Date: Thu, 27 Apr 2023 08:34:37 +0200
Subject: [PATCH] [mirotalksfu] - improve security

---
 app/src/Server.js       | 12 ++++++++++--
 public/js/RoomClient.js |  8 +++++++-
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/app/src/Server.js b/app/src/Server.js
index d5570b60..d2aeb9c0 100644
--- a/app/src/Server.js
+++ b/app/src/Server.js
@@ -943,10 +943,18 @@ function startServer() {
             callback();
         });
 
-        socket.on('getRoomInfo', (_, cb) => {
+        socket.on('getRoomInfo', async (dataObject, cb) => {
             if (!roomList.has(socket.room_id)) return;
 
-            log.debug('Send Room Info to', getPeerName());
+            const data = checkXSS(dataObject);
+
+            const isPresenter = await isPeerPresenter(socket.room_id, data.peer_name, data.peer_uuid);
+            if (!isPresenter) {
+                log.debug('Get Room Info not allowed', data);
+                return;
+            }
+
+            log.debug('Send Room Info to', data.peer_name);
             cb(roomList.get(socket.room_id).toJson());
         });
 
diff --git a/public/js/RoomClient.js b/public/js/RoomClient.js
index e04e61cc..b60772cd 100644
--- a/public/js/RoomClient.js
+++ b/public/js/RoomClient.js
@@ -2179,7 +2179,13 @@ class RoomClient {
     }
 
     async getRoomInfo() {
-        let room_info = await this.socket.request('getRoomInfo');
+        const data = {
+            room_id: this.room_id,
+            peer_name: this.peer_name,
+            peer_id: this.peer_id,
+            peer_uuid: this.peer_uuid,
+        };
+        let room_info = await this.socket.request('getRoomInfo', data);
         return room_info;
     }