/
parseJsonQuery.js
83 lines (74 loc) · 3.2 KB
/
parseJsonQuery.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import { Meteor } from 'meteor/meteor';
import { RocketChat } from 'meteor/rocketchat:lib';
RocketChat.API.helperMethods.set('parseJsonQuery', function _parseJsonQuery() {
let sort;
if (this.queryParams.sort) {
try {
sort = JSON.parse(this.queryParams.sort);
} catch (e) {
this.logger.warn(`Invalid sort parameter provided "${ this.queryParams.sort }":`, e);
throw new Meteor.Error('error-invalid-sort', `Invalid sort parameter provided: "${ this.queryParams.sort }"`, { helperMethod: 'parseJsonQuery' });
}
}
let fields;
if (this.queryParams.fields) {
try {
fields = JSON.parse(this.queryParams.fields);
} catch (e) {
this.logger.warn(`Invalid fields parameter provided "${ this.queryParams.fields }":`, e);
throw new Meteor.Error('error-invalid-fields', `Invalid fields parameter provided: "${ this.queryParams.fields }"`, { helperMethod: 'parseJsonQuery' });
}
}
// Verify the user's selected fields only contains ones which their role allows
if (typeof fields === 'object') {
let nonSelectableFields = Object.keys(RocketChat.API.v1.defaultFieldsToExclude);
if (this.request.route.includes('/v1/users.')) {
const getFields = () => Object.keys(RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') ? RocketChat.API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser : RocketChat.API.v1.limitedUserFieldsToExclude);
nonSelectableFields = nonSelectableFields.concat(getFields());
}
Object.keys(fields).forEach((k) => {
if (nonSelectableFields.includes(k) || nonSelectableFields.includes(k.split(RocketChat.API.v1.fieldSeparator)[0])) {
delete fields[k];
}
});
}
// Limit the fields by default
fields = Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude);
if (this.request.route.includes('/v1/users.')) {
if (RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info')) {
fields = Object.assign(fields, RocketChat.API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser);
} else {
fields = Object.assign(fields, RocketChat.API.v1.limitedUserFieldsToExclude);
}
}
let query = {};
if (this.queryParams.query) {
try {
query = JSON.parse(this.queryParams.query);
} catch (e) {
this.logger.warn(`Invalid query parameter provided "${ this.queryParams.query }":`, e);
throw new Meteor.Error('error-invalid-query', `Invalid query parameter provided: "${ this.queryParams.query }"`, { helperMethod: 'parseJsonQuery' });
}
}
// Verify the user has permission to query the fields they are
if (typeof query === 'object') {
let nonQueryableFields = Object.keys(RocketChat.API.v1.defaultFieldsToExclude);
if (this.request.route.includes('/v1/users.')) {
if (RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info')) {
nonQueryableFields = nonQueryableFields.concat(Object.keys(RocketChat.API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser));
} else {
nonQueryableFields = nonQueryableFields.concat(Object.keys(RocketChat.API.v1.limitedUserFieldsToExclude));
}
}
Object.keys(query).forEach((k) => {
if (nonQueryableFields.includes(k) || nonQueryableFields.includes(k.split(RocketChat.API.v1.fieldSeparator)[0])) {
delete query[k];
}
});
}
return {
sort,
fields,
query,
};
});