-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Hubs authorization
Greg Fodor edited this page Jan 21, 2020
·
3 revisions
This is a brief overview of authorization.
- The server authorizes all instantiation messages. If a user is not authorized, instantiation messages from them will not be sent to peers.
- For update messages, the client authorizes and filters. Authorization is two stage:
- First, we check if a message is affirmatively authorized, meaning that it is explicitly allowed by policy.
This check happens in
authorizeEntityManipulation
inpermissions-utils.js
. - If that check fails, then the message is sanitized, which to strips it down to just a specific, optional
subset component attributes which do not require authorization.
- These components are defined as
nonAuthorizedComponents
in network-schemas.js - The reason for this component whitelist is dictated by use case. For example, we allow anyone in the room currently to manipulate the video playback state or pager state on media, because to lock that down otherwise would mean that scene-owned assets would never be controllable by users.
- These components are defined as
- First, we check if a message is affirmatively authorized, meaning that it is explicitly allowed by policy.
This check happens in
One confusing bit is for videos:
- For unpinned videos, all actions are both authorized and visible in the UI regardless of permissions
- For pinned videos:
- Play/pause are unauthorized, because that would reflect the pin state
- Seeking is authorized, because to do otherwise would prevent an arbitrary timekeeper
- However, by convention, we disable the seeking controls after https://github.com/mozilla/hubs/pull/2064 to make pinning effectively be a soft contract that discouages seeking by non-privileged users