[FIX] Duplicate code in rest api letting in a few bugs with the rest api

packages/rocketchat-api/server/api.js

@@ -5,11 +5,28 @@ class API extends Restivus {
 		this.logger = new Logger(`API ${ properties.version ? properties.version : 'default' } Logger`, {});
 		this.authMethods = [];
 		this.helperMethods = new Map();
+		this.fieldSeparator = '.';
 		this.defaultFieldsToExclude = {
 			joinCode: 0,
 			$loki: 0,
 			meta: 0,
-			members: 0
+			members: 0,
+			importIds: 0
+		};
+		this.limitedUserFieldsToExclude = {
+			avatarOrigin: 0,
+			emails: 0,
+			phone: 0,
+			statusConnection: 0,
+			createdAt: 0,
+			lastLogin: 0,
+			services: 0,
+			requirePasswordChange: 0,
+			requirePasswordChangeReason: 0,
+			roles: 0,
+			statusDefault: 0,
+			_updatedAt: 0,
+			customFields: 0
 		};
 
 		this._config.defaultOptionsEndpoint = function() {

packages/rocketchat-api/server/v1/channels.js

@@ -191,7 +191,7 @@ RocketChat.API.v1.addRoute('channels.files', { authRequired: true }, {
 			sort: sort ? sort : { name: 1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		}).fetch();
 
 		return RocketChat.API.v1.success({
@@ -235,7 +235,7 @@ RocketChat.API.v1.addRoute('channels.getIntegrations', { authRequired: true }, {
 			sort: sort ? sort : { _createdAt: 1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		}).fetch();
 
 		return RocketChat.API.v1.success({
@@ -381,7 +381,7 @@ RocketChat.API.v1.addRoute('channels.list', { authRequired: true }, {
 				sort: sort ? sort : { name: 1 },
 				skip: offset,
 				limit: count,
-				fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+				fields
 			}).fetch();
 
 			return RocketChat.API.v1.success({
@@ -405,7 +405,7 @@ RocketChat.API.v1.addRoute('channels.list.joined', { authRequired: true }, {
 			sort: sort ? sort : { name: 1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		});
 
 		return RocketChat.API.v1.success({
@@ -461,7 +461,7 @@ RocketChat.API.v1.addRoute('channels.messages', { authRequired: true }, {
 			sort: sort ? sort : { ts: -1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		}).fetch();
 
 		return RocketChat.API.v1.success({

packages/rocketchat-api/server/v1/groups.js

@@ -167,7 +167,7 @@ RocketChat.API.v1.addRoute('groups.files', { authRequired: true }, {
 			sort: sort ? sort : { name: 1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		}).fetch();
 
 		return RocketChat.API.v1.success({
@@ -205,7 +205,7 @@ RocketChat.API.v1.addRoute('groups.getIntegrations', { authRequired: true }, {
 			sort: sort ? sort : { _createdAt: 1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		}).fetch();
 
 		return RocketChat.API.v1.success({
@@ -323,7 +323,7 @@ RocketChat.API.v1.addRoute('groups.list', { authRequired: true }, {
 			sort: sort ? sort : { name: 1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		});
 
 		return RocketChat.API.v1.success({
@@ -350,7 +350,7 @@ RocketChat.API.v1.addRoute('groups.listAll', { authRequired: true }, {
 			sort: sort ? sort : { name: 1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		});
 
 		return RocketChat.API.v1.success({
@@ -398,7 +398,7 @@ RocketChat.API.v1.addRoute('groups.messages', { authRequired: true }, {
 			sort: sort ? sort : { ts: -1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		}).fetch();
 
 		return RocketChat.API.v1.success({

packages/rocketchat-api/server/v1/helpers/parseJsonQuery.js

@@ -19,6 +19,26 @@ RocketChat.API.v1.helperMethods.set('parseJsonQuery', function _parseJsonQuery()
 		}
 	}
 
+	// Verify the user's selected fields only contains ones which their role allows
+	if (typeof fields === 'object') {
+		let nonSelectableFields = Object.keys(RocketChat.API.v1.defaultFieldsToExclude);
+		if (!RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') && this.request.route.includes('/v1/users.')) {
+			nonSelectableFields = nonSelectableFields.concat(Object.keys(RocketChat.API.v1.limitedUserFieldsToExclude));
+		}
+
+		Object.keys(fields).forEach((k) => {
+			if (nonSelectableFields.includes(k) || nonSelectableFields.includes(k.split(RocketChat.API.v1.fieldSeparator)[0])) {
+				delete fields[k];
+			}
+		});
+	}
+
+	// Limit the fields by default
+	fields = Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude);
+	if (!RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') && this.request.route.includes('/v1/users.')) {
+		fields = Object.assign(fields, RocketChat.API.v1.limitedUserFieldsToExclude);
+	}
+
 	let query;
 	if (this.queryParams.query) {
 		try {
@@ -29,6 +49,20 @@ RocketChat.API.v1.helperMethods.set('parseJsonQuery', function _parseJsonQuery()
 		}
 	}
 
+	// Verify the user has permission to query the fields they are
+	if (typeof query === 'object') {
+		let nonQuerableFields = Object.keys(RocketChat.API.v1.defaultFieldsToExclude);
+		if (!RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') && this.request.route.includes('/v1/users.')) {
+			nonQuerableFields = nonQuerableFields.concat(Object.keys(RocketChat.API.v1.limitedUserFieldsToExclude));
+		}
+
+		Object.keys(query).forEach((k) => {
+			if (nonQuerableFields.includes(k) || nonQuerableFields.includes(k.split(RocketChat.API.v1.fieldSeparator)[0])) {
+				delete query[k];
+			}
+		});
+	}
+
 	return {
 		sort,
 		fields,

packages/rocketchat-api/server/v1/im.js

@@ -60,7 +60,7 @@ RocketChat.API.v1.addRoute(['dm.files', 'im.files'], { authRequired: true }, {
 			sort: sort ? sort : { name: 1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		}).fetch();
 
 		return RocketChat.API.v1.success({
@@ -160,7 +160,7 @@ RocketChat.API.v1.addRoute(['dm.messages', 'im.messages'], { authRequired: true
 			sort: sort ? sort : { ts: -1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		}).fetch();
 
 		return RocketChat.API.v1.success({
@@ -200,7 +200,7 @@ RocketChat.API.v1.addRoute(['dm.messages.others', 'im.messages.others'], { authR
 			sort: sort ? sort : { ts: -1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		}).fetch();
 
 		return RocketChat.API.v1.success({
@@ -223,7 +223,7 @@ RocketChat.API.v1.addRoute(['dm.list', 'im.list'], { authRequired: true }, {
 			sort: sort ? sort : { name: 1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		});
 
 		return RocketChat.API.v1.success({
@@ -250,7 +250,7 @@ RocketChat.API.v1.addRoute(['dm.list.everyone', 'im.list.everyone'], { authRequi
 			sort: sort ? sort : { name: 1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		}).fetch();
 
 		return RocketChat.API.v1.success({

packages/rocketchat-api/server/v1/stats.js

@@ -25,20 +25,18 @@ RocketChat.API.v1.addRoute('statistics.list', { authRequired: true }, {
 		const { offset, count } = this.getPaginationItems();
 		const { sort, fields, query } = this.parseJsonQuery();
 
-		const ourQuery = Object.assign({}, query);
-
-		const statistics = RocketChat.models.Statistics.find(ourQuery, {
+		const statistics = RocketChat.models.Statistics.find(query, {
 			sort: sort ? sort : { name: 1 },
 			skip: offset,
 			limit: count,
-			fields: Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude)
+			fields
 		}).fetch();
 
 		return RocketChat.API.v1.success({
 			statistics,
 			count: statistics.length,
 			offset,
-			total: RocketChat.models.Statistics.find(ourQuery).count()
+			total: RocketChat.models.Statistics.find(query).count()
 		});
 	}
 });

packages/rocketchat-api/server/v1/users.js

@@ -117,40 +117,18 @@ RocketChat.API.v1.addRoute('users.list', { authRequired: true }, {
 		const { offset, count } = this.getPaginationItems();
 		const { sort, fields, query } = this.parseJsonQuery();
 
-		let fieldsToKeepFromRegularUsers;
-		if (!RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info')) {
-			fieldsToKeepFromRegularUsers = {
-				avatarOrigin: 0,
-				emails: 0,
-				phone: 0,
-				statusConnection: 0,
-				createdAt: 0,
-				lastLogin: 0,
-				services: 0,
-				requirePasswordChange: 0,
-				requirePasswordChangeReason: 0,
-				roles: 0,
-				statusDefault: 0,
-				_updatedAt: 0,
-				customFields: 0
-			};
-		}
-
-		const ourQuery = Object.assign({}, query);
-		const ourFields = Object.assign({}, fields, fieldsToKeepFromRegularUsers, RocketChat.API.v1.defaultFieldsToExclude);
-
-		const users = RocketChat.models.Users.find(ourQuery, {
+		const users = RocketChat.models.Users.find(query, {
 			sort: sort ? sort : { username: 1 },
 			skip: offset,
 			limit: count,
-			fields: ourFields
+			fields
 		}).fetch();
 
 		return RocketChat.API.v1.success({
 			users,
 			count: users.length,
 			offset,
-			total: RocketChat.models.Users.find(ourQuery).count()
+			total: RocketChat.models.Users.find(query).count()
 		});
 	}
 });