From 3dc2795f6668a94a06e25aa20ddf54e28693e139 Mon Sep 17 00:00:00 2001
From: Manuel Martin <manmartin@mozilla.com>
Date: Fri, 23 Jun 2023 16:49:17 +0200
Subject: [PATCH 1/2] Auth permission updates

---
 lib/ret_web/channels/hub_channel.ex | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/lib/ret_web/channels/hub_channel.ex b/lib/ret_web/channels/hub_channel.ex
index 1f5c2156c..6367c566d 100644
--- a/lib/ret_web/channels/hub_channel.ex
+++ b/lib/ret_web/channels/hub_channel.ex
@@ -297,17 +297,23 @@ defmodule RetWeb.HubChannel do
     account = Guardian.Phoenix.Socket.current_resource(socket)
     hub = socket |> hub_for_socket
 
-    if (type != "photo" and type != "video") or account |> can?(spawn_camera(hub)) do
-      broadcast!(
-        socket,
-        event,
-        payload
-        |> Map.delete("session_id")
-        |> Map.put(:session_id, socket.assigns.session_id)
-        |> payload_with_from(socket)
-      )
+    if (type == "photo" and type == "video" and
+          account
+          |> can?(spawn_camera(hub))
+          |> Kernel.not()) or
+         (type == "permission" and hub |> Ret.Hub.is_owner?(account.account_id) |> Kernel.not()) do
+      {:noreply, socket}
     end
 
+    broadcast!(
+      socket,
+      event,
+      payload
+      |> Map.delete("session_id")
+      |> Map.put(:session_id, socket.assigns.session_id)
+      |> payload_with_from(socket)
+    )
+
     {:noreply, socket}
   end
 

From 38306cdcd89fb5d524a834d18e8c0975b4429618 Mon Sep 17 00:00:00 2001
From: Manuel Martin <manmartin@mozilla.com>
Date: Tue, 27 Jun 2023 13:27:05 +0200
Subject: [PATCH 2/2] Correctly handle message permissions

---
 lib/ret_web/channels/hub_channel.ex | 32 +++++++++++++++--------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/lib/ret_web/channels/hub_channel.ex b/lib/ret_web/channels/hub_channel.ex
index 6367c566d..25448d8ee 100644
--- a/lib/ret_web/channels/hub_channel.ex
+++ b/lib/ret_web/channels/hub_channel.ex
@@ -297,22 +297,24 @@ defmodule RetWeb.HubChannel do
     account = Guardian.Phoenix.Socket.current_resource(socket)
     hub = socket |> hub_for_socket
 
-    if (type == "photo" and type == "video" and
-          account
-          |> can?(spawn_camera(hub))
-          |> Kernel.not()) or
-         (type == "permission" and hub |> Ret.Hub.is_owner?(account.account_id) |> Kernel.not()) do
-      {:noreply, socket}
-    end
+    authorized =
+      cond do
+        type in ["photo", "video"] -> account |> can?(spawn_camera(hub))
+        type === "chat" -> account |> can?(text_chat(hub))
+        type === "permission" -> account |> can?(update_hub(hub))
+        true -> true
+      end
 
-    broadcast!(
-      socket,
-      event,
-      payload
-      |> Map.delete("session_id")
-      |> Map.put(:session_id, socket.assigns.session_id)
-      |> payload_with_from(socket)
-    )
+    if authorized do
+      broadcast!(
+        socket,
+        event,
+        payload
+        |> Map.delete("session_id")
+        |> Map.put(:session_id, socket.assigns.session_id)
+        |> payload_with_from(socket)
+      )
+    end
 
     {:noreply, socket}
   end