File uploading by App returns unexpected error

[pedrodeandrade]

Description:

When trying to upload a file in behalf of a user in a Livechat room using a app it returns a
error saying it's forbidden.

When trying to upload a file using an app on a RocketChat server below 3.16.0 version it works as expected

When I try to upload a file with a visitor token instead of a user it works correctly no matter the RocketChat version.

Here is the error message and stack trace that is returned by the server:
"{\"message\":\"Forbidden [forbidden]\",\"stack\":\"Error: Forbidden [forbidden]\\n at Object.<anonymous> (packages/jalik:ufs/ufs-store.js:339:12)\\n at packages/matb33:collection-hooks/insert.js:16:28\\n at Array.forEach (<anonymous>)\\n at Object.<anonymous> (packages/matb33:collection-hooks/insert.js:15:22)\\n at Object.collection.<computed> [as insert] (packages/matb33:collection-hooks/collection-hooks.js:93:21)\\n at ns.Collection.insert (packages/mongo/collection.js:523:39)\\n at ns.Collection.Mongo.Collection.<computed> [as insert] (packages/dispatch_run-as-user.js:325:19)\\n at BaseDb.insert (app/models/server/models/_BaseDb.js:278:33)\\n at ns.Collection.model.insert (app/models/server/models/_BaseDb.js:129:16)\\n at GridFSStore.Store.self.create (packages/jalik:ufs/ufs-store.js:202:33)\\n at FileUploadClass._doInsert (app/file-upload/server/lib/FileUpload.js:573:29)\\n at FileUploadClass.insert (app/file-upload/server/lib/FileUpload.js:613:15)\\n at FileUploadClass.insertSync (packages/meteor.js:306:21)\\n at app/apps/server/bridges/uploads.ts:59:36\\n at runWithEnvironment (packages/meteor.js:1286:24)\\n at packages/meteor.js:1299:14\\n at new Promise (<anonymous>)\\n at app/apps/server/bridges/uploads.ts:57:10\\n at /app/bundle/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/fiber_pool.js:43:40\"}"

Steps to reproduce

1. Create a app with a endpoint to upload a file in a room. The image below represents how I am doing the upload:

2. Start a Livechat chat

3. Send a request to the endpoint passing the file, the ID of the Livechat room and the username of the user that is uploading the file

Expected behavior:

It should upload a file in a Livechat room in behalf of a user

Actual behavior:

It returns a error saying it's forbidden

Server Setup Information:

• Version of Rocket.Chat Server: 3.17.1 Enterprise
• Operating System: Linux
• Deployment Method: Docker
• Number of Running Instances: 1
• DB Replicaset Oplog:
• NodeJS Version: v12.22.1
• MongoDB Version: 4.0.22

Client Setup Information:

• Desktop App or Browser Version: Brave 1.24.82
• Operating System: Linux Mint 20

[yashovardhan]

Hey there,

Thanks a lot for reporting this. Since you're an enterprise customer, can you please generate a support ticket? This way your issue will be dealt with on priority. In the meantime I'll try to get this checked as soon as possible from my side.