From fc145d9f3eb2817f4d372009e814a209ce3de549 Mon Sep 17 00:00:00 2001 From: cardoso Date: Sun, 13 May 2018 01:37:16 -0300 Subject: [PATCH 1/7] Add view-broadcast-member-list permission --- packages/rocketchat-authorization/server/startup.js | 3 ++- packages/rocketchat-lib/client/defaultTabBars.js | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/rocketchat-authorization/server/startup.js b/packages/rocketchat-authorization/server/startup.js index 142de2284a1c..85c2d02a3745 100644 --- a/packages/rocketchat-authorization/server/startup.js +++ b/packages/rocketchat-authorization/server/startup.js @@ -67,7 +67,8 @@ Meteor.startup(function() { { _id: 'view-statistics', roles : ['admin'] }, { _id: 'view-user-administration', roles : ['admin'] }, { _id: 'preview-c-room', roles : ['admin', 'user', 'anonymous'] }, - { _id: 'view-outside-room', roles : ['admin', 'owner', 'moderator', 'user'] } + { _id: 'view-outside-room', roles : ['admin', 'owner', 'moderator', 'user'] }, + { _id: 'view-broadcast-member-list', roles : ['admin', 'owner', 'moderator'] } ]; for (const permission of permissions) { diff --git a/packages/rocketchat-lib/client/defaultTabBars.js b/packages/rocketchat-lib/client/defaultTabBars.js index 2b184de32f9c..24441d875f9b 100644 --- a/packages/rocketchat-lib/client/defaultTabBars.js +++ b/packages/rocketchat-lib/client/defaultTabBars.js @@ -33,7 +33,7 @@ RocketChat.TabBar.addButton({ return true; } - return RocketChat.authz.hasRole(Meteor.userId(), ['admin', 'moderator', 'owner'], rid); + return RocketChat.authz.hasAllPermission('view-broadcast-member-list'); } }); From 082b21a063058cebff480fcadb163e387a57bfc3 Mon Sep 17 00:00:00 2001 From: cardoso Date: Sun, 13 May 2018 01:44:51 -0300 Subject: [PATCH 2/7] Add view-broadcast-member-list to i18n file --- packages/rocketchat-i18n/i18n/en.i18n.json | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/rocketchat-i18n/i18n/en.i18n.json b/packages/rocketchat-i18n/i18n/en.i18n.json index bc2d5f18ebf9..fa089cc8d7a0 100644 --- a/packages/rocketchat-i18n/i18n/en.i18n.json +++ b/packages/rocketchat-i18n/i18n/en.i18n.json @@ -2231,6 +2231,7 @@ "Video_message": "Video message", "Videocall_declined": "Video Call Declined.", "Videocall_enabled": "Video Call Enabled", + "view-broadcast-member-list": "View Members List in Broadcast Room", "view-c-room": "View Public Channel", "view-c-room_description": "Permission to view public channels", "view-d-room": "View Direct Messages", From 8c5a5d0f7f3c2ed78c4ab48a44f7351579017b36 Mon Sep 17 00:00:00 2001 From: cardoso Date: Sun, 13 May 2018 02:18:06 -0300 Subject: [PATCH 3/7] Fix not looking up view-broadcast-member-list permission per room --- packages/rocketchat-lib/client/defaultTabBars.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/rocketchat-lib/client/defaultTabBars.js b/packages/rocketchat-lib/client/defaultTabBars.js index 24441d875f9b..bfc224955087 100644 --- a/packages/rocketchat-lib/client/defaultTabBars.js +++ b/packages/rocketchat-lib/client/defaultTabBars.js @@ -33,7 +33,7 @@ RocketChat.TabBar.addButton({ return true; } - return RocketChat.authz.hasAllPermission('view-broadcast-member-list'); + return RocketChat.authz.hasAllPermission('view-broadcast-member-list', rid); } }); From bdf441085e263bdb6cf103fb78405edac6cae825 Mon Sep 17 00:00:00 2001 From: cardoso Date: Sun, 13 May 2018 02:31:43 -0300 Subject: [PATCH 4/7] REST API: Don't allow users without permission to fetch broadcast room members list --- packages/rocketchat-api/server/v1/channels.js | 5 ++++- packages/rocketchat-api/server/v1/groups.js | 5 +++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/packages/rocketchat-api/server/v1/channels.js b/packages/rocketchat-api/server/v1/channels.js index eb76ca5a2038..16f91954154c 100644 --- a/packages/rocketchat-api/server/v1/channels.js +++ b/packages/rocketchat-api/server/v1/channels.js @@ -503,6 +503,10 @@ RocketChat.API.v1.addRoute('channels.members', { authRequired: true }, { returnUsernames: true }); + if (findResult.broadcast && !RocketChat.authz.hasPermission(this.userId, 'view-broadcast-member-list')) { + return RocketChat.API.v1.unauthorized(); + } + const { offset, count } = this.getPaginationItems(); const { sort } = this.parseJsonQuery(); @@ -865,4 +869,3 @@ RocketChat.API.v1.addRoute('channels.getAllUserMentionsByChannel', { authRequire }); } }); - diff --git a/packages/rocketchat-api/server/v1/groups.js b/packages/rocketchat-api/server/v1/groups.js index 3826a38bca9d..4e0b2d180819 100644 --- a/packages/rocketchat-api/server/v1/groups.js +++ b/packages/rocketchat-api/server/v1/groups.js @@ -380,6 +380,11 @@ RocketChat.API.v1.addRoute('groups.listAll', { authRequired: true }, { RocketChat.API.v1.addRoute('groups.members', { authRequired: true }, { get() { const findResult = findPrivateGroupByIdOrName({ params: this.requestParams(), userId: this.userId }); + + if (findResult._room.broadcast && !RocketChat.authz.hasPermission(this.userId, 'view-broadcast-member-list')) { + return RocketChat.API.v1.unauthorized(); + } + const { offset, count } = this.getPaginationItems(); const { sort } = this.parseJsonQuery(); From f0b7922b303fd83c9ae12e61c9ade80f3e39fa01 Mon Sep 17 00:00:00 2001 From: cardoso Date: Sun, 13 May 2018 02:35:59 -0300 Subject: [PATCH 5/7] Remove trailing space --- packages/rocketchat-api/server/v1/channels.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/rocketchat-api/server/v1/channels.js b/packages/rocketchat-api/server/v1/channels.js index 16f91954154c..62ce6e3a92e5 100644 --- a/packages/rocketchat-api/server/v1/channels.js +++ b/packages/rocketchat-api/server/v1/channels.js @@ -505,7 +505,7 @@ RocketChat.API.v1.addRoute('channels.members', { authRequired: true }, { if (findResult.broadcast && !RocketChat.authz.hasPermission(this.userId, 'view-broadcast-member-list')) { return RocketChat.API.v1.unauthorized(); - } + } const { offset, count } = this.getPaginationItems(); const { sort } = this.parseJsonQuery(); From 78b30ab12325805399f1db02b4ec35ac75707fa8 Mon Sep 17 00:00:00 2001 From: cardoso Date: Tue, 15 May 2018 18:34:41 -0300 Subject: [PATCH 6/7] DDP: getUsersOfRoom disallow users without permission to fetch broadcast room members list --- server/methods/getUsersOfRoom.js | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/server/methods/getUsersOfRoom.js b/server/methods/getUsersOfRoom.js index 2ba96ed29f81..861e8374fa75 100644 --- a/server/methods/getUsersOfRoom.js +++ b/server/methods/getUsersOfRoom.js @@ -9,6 +9,12 @@ Meteor.methods({ throw new Meteor.Error('error-invalid-room', 'Invalid room', { method: 'getUsersOfRoom' }); } + if (room.broadcast && !RocketChat.authz.hasPermission(Meteor.userId(), 'view-broadcast-member-list', roomId)) { + throw new Meteor.Error('error-not-allowed', 'Not allowed', { + method: 'getUsersOfRoom' + }); + } + const filter = (record) => { if (!record._user) { console.log('Subscription without user', record._id); From a5d30b8e5131943ee6cf66a1d1fdc150e6dd832b Mon Sep 17 00:00:00 2001 From: cardoso Date: Tue, 15 May 2018 18:38:50 -0300 Subject: [PATCH 7/7] Fix code style --- server/methods/getUsersOfRoom.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/server/methods/getUsersOfRoom.js b/server/methods/getUsersOfRoom.js index 861e8374fa75..3a6bc5c2e66a 100644 --- a/server/methods/getUsersOfRoom.js +++ b/server/methods/getUsersOfRoom.js @@ -10,9 +10,7 @@ Meteor.methods({ } if (room.broadcast && !RocketChat.authz.hasPermission(Meteor.userId(), 'view-broadcast-member-list', roomId)) { - throw new Meteor.Error('error-not-allowed', 'Not allowed', { - method: 'getUsersOfRoom' - }); + throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'getUsersOfRoom' }); } const filter = (record) => {