fix: don't allow new users to steal roles (#4055)

2025-09-19 13:30:44 -04:00 · 2025-09-19 13:30:44 -04:00 · 2cf46d09b3
commit 2cf46d09b3
parent d29d69892d
2 changed files with 29 additions and 4 deletions
--- a/lib/pangea/activity_sessions/activity_room_extension.dart
+++ b/lib/pangea/activity_sessions/activity_room_extension.dart
@ -24,8 +24,25 @@ import 'package:fluffychat/pangea/extensions/pangea_room_extension.dart';
 import 'package:fluffychat/widgets/matrix.dart';
 import '../activity_summary/activity_summary_repo.dart';

+class RoleException implements Exception {
+  final String message;
+  RoleException(this.message);
+
+  @override
+  String toString() => "RoleException: $message";
+}
+
 extension ActivityRoomExtension on Room {
  Future<void> joinActivity(ActivityRole role) async {
+    final assigned = assignedRoles?.values ?? [];
+    if (assigned.any((r) => r.userId != client.userID && r.role == role.name)) {
+      throw RoleException("Role already taken");
+    }
+
+    if (assigned.any((r) => r.userId == client.userID)) {
+      throw RoleException("User already has a role");
+    }
+
    final currentRoles = activityRoles ?? ActivityRolesModel.empty;
    final activityRole = ActivityRoleModel(
      id: role.id,
--- a/lib/pangea/activity_sessions/activity_session_start/activity_session_start_page.dart
+++ b/lib/pangea/activity_sessions/activity_session_start/activity_session_start_page.dart
@ -161,7 +161,9 @@ class ActivitySessionStartController extends State<ActivitySessionStartPage>
    }

    final availableRoles = activity!.roles;
-    final assignedRoles = activityRoom?.assignedRoles ?? {};
+    final assignedRoles = activityRoom?.assignedRoles ??
+        roomSummaries?[widget.roomId]?.activityRoles.roles ??
+        {};
    final unassignedIds = availableRoles.keys
        .where((id) => !assignedRoles.containsKey(id))
        .toList();
@ -273,9 +275,15 @@ class ActivitySessionStartController extends State<ActivitySessionStartPage>
      }
    }

-    await activityRoom!.joinActivity(
-      activity!.roles[_selectedRoleId!]!,
-    );
+    try {
+      await activityRoom!.joinActivity(
+        activity!.roles[_selectedRoleId!]!,
+      );
+    } catch (e) {
+      if (e is! RoleException) {
+        rethrow;
+      }
+    }

    context.go("/rooms/spaces/${widget.parentId}/${widget.roomId}");
  }