Socket messages on entity update sent to users without checking view permissions

[FilipNest]

The entity system has a method for checking if a user is allowed to view an entity ("hook_entity_view"). However, when an entity is updated, created or deleted, socket messages with the entity are sent to all users regardless of permissions.

• Create an Iris site.
• Create an external HTML page (separate to Iris) with the following HTML code:

<script src="https://cdn.socket.io/socket.io-1.4.5.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.5.0-rc.0/angular.min.js"></script>
<script src="http://localhost:4000/modules/entity/templates.js"></script>
<script src="http://localhost:4000/modules/angular_live_load/angular_live_load_client.js"></script>

<script>
  iris.server = "http://localhost:4000";

  iris.fetchEntities("users", {

    entities: ["user"],
    sort: {
      "username": "asc"
    },
    limit: 4,
    skip: 0

  })

</script>

<div ng-controller="iris-template" ng-iris-template="users">

  <ul>
    <li ng-repeat="user in users">{{user.username}}</li>

  </ul>

</div>

• Change every mention of http://localhost:4000 to the url of your Iris site.
• In your Iris site admin interface go to the permissions page under the users menu and make sure anonymous users have the permission that allows them to view users.
• Refresh your external page (the HTML above) and you should see the usernames of the users on your site.
• Edit a user or create a new user via the admin interface and the page should automatically update.
• This automatic update happens through the websocket functionality in /iris_core/modules/core/entity/entity_views.js lines 130 and onwards.
• The problem is entities are being sent directly to all users, for example:

        iris.sendSocketMessage(["*"], "entityUpdate", data[0]);

• What needs to happen is that instead of the * wildcard in the socket message it needs to be sent to specific users depending on their permissions.
• So you need to see which users are currently signed in, this can be seen through the iris.modules.auth.globals.userList object. Then you need to run the hook_entity_view hook (see the hook documentation for more information) for each of these user accounts. And send the socket specific to them.
• In /iris_core/sockets.js we also need a new sendSocketMessage function that only sends to anonymous sockets by checking which of the currently connected sockets are not in the userList object.