speckleworks / SpeckleServer

Check a brand new Speckle at: https://github.com/specklesystems
http://speckle.systems
MIT License
110 stars 29 forks source link

Client Put bug? #182

Open AntoineDao opened 4 years ago

AntoineDao commented 4 years ago

I'm doing some rewriting and was wondering why when we update a client we only check if the user can write to the stream? Shouldn't we check that the user can write to the client instead?

https://github.com/speckleworks/SpeckleServer/blob/c544a3404f41d266d660579513f685b1cad70bd9/app/api/clients/ClientPut.js#L17

didimitrie commented 4 years ago

It's covering the case when A opens B's file with B's sender/receiver client in there, but A's account.

Reasoning goes like: if A can already access B's file, he should be able to edit the client and set it online/offline (what that endpoint is mostly used for). If he shouldn't be able to, there's some bigger structural issues there (ie, A stealing B's files from the network drive or something).

Open to different ways of doing things, but it would mean some client rewriting...