add a middleware to check whether the page is accessible

apps/app/src/server/service/yjs.ts

@@ -68,6 +68,22 @@ class YjsService implements IYjsService {
 
     this.createIndexes();
 
+    // check accessible page
+    ysocketio.nsp?.use(async(socket, next) => {
+      // extract page id from namespace
+      const pageId = socket.nsp.name.replace(/\/yjs\|/, '');
+      const user = (socket.request as RequestWithUser).user; // should be injected by SocketIOService
+
+      const Page = mongoose.model<IPage, PageModel>('Page');
+      const isAccessible = await Page.isAccessiblePageByViewer(pageId, user);
+
+      if (!isAccessible) {
+        return next(new Error('Forbidden'));
+      }
+
+      return next();
+    });
+
     ysocketio.on('document-loaded', async(doc: Document) => {
       const pageId = doc.name;