New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FIX] Not escaping special chars on mentions #10793

Merged
merged 4 commits into from May 17, 2018

Conversation

Projects
None yet
5 participants
@erhan-
Contributor

erhan- commented May 17, 2018

One of the XSS is happening when the "Use Real Name" setting is enabled. You can change your display name to this for example:
<svg onload=alert(69)>
And then mention yourself with @ in a room. Everybody in the room will execute the code. Exfiltrating the data is left to the reader as an excercise.

I have no instance to test this but I think it should work.

Timeline:
20.04.2018 - Send two XSS two security@rocket.chat, Received link to HackerOne but issues are deactivated
11.05.2018 - asked for update
17.05.2018 - no answer, so created this PR

I found this bug together with @Faradax during our work at G Data - Advanced Analytics

@CLAassistant

This comment has been minimized.

CLAassistant commented May 17, 2018

CLA assistant check
All committers have signed the CLA.

@mtimofiiv

This comment has been minimized.

mtimofiiv commented May 17, 2018

Seems like a pretty important issue to look into merging straight away. The fix is simple and uses an existing method.

@sampaiodiego sampaiodiego changed the title from Fix XSS vulnerability in user mention to [FIX] Not escaping special chars on mentions May 17, 2018

@sampaiodiego

@erhan- much appreciated for your fix.. we're working to fix our harcker one issues.

I have tested this and it's not working since escapeHTML is from underscore.string and not underscore.. do you mind giving me write access to your fork so I can commit the fix and some tests I have written already? thx

erhan- and others added some commits May 17, 2018

@sampaiodiego sampaiodiego added this to the 0.64.2 milestone May 17, 2018

@erhan-

This comment has been minimized.

Contributor

erhan- commented May 17, 2018

Thanks for the quick response.

@sampaiodiego sampaiodiego merged commit 5bfbb98 into RocketChat:develop May 17, 2018

4 checks passed

ci/circleci: build Your tests passed on CircleCI!
Details
ci/circleci: test-with-oplog Your tests passed on CircleCI!
Details
ci/circleci: test-without-oplog Your tests passed on CircleCI!
Details
license/cla Contributor License Agreement is signed.
Details

@rodrigok rodrigok referenced this pull request May 18, 2018

Merged

Release 0.64.2 #10812

rodrigok added a commit that referenced this pull request May 18, 2018

Release 0.64.2 (#10812)
* changed saml integration to store data on mongo instead of memory

* Update saml_server.js

*  [FIX] Fix create channel, when created a readonly channel (#10665)

[FIX] Channel owner was being set as muted when creating a read-only channel

* Correct links to Rocket.Chat documentation (#10674)

Correct links in README file

* Fix flickering on message-box emoji icon (#10678)

[FIX] Message box emoji icon was flickering when typing a text

* add `npm run postinstall` into build script (#10524)

Add `npm run postinstall` into example build script

* [FIX] Improve desktop notification formatting (#10445)

* Improved notification formatting

* Fixed lint issues

* Changed body format

* Fixed the problem of missing descriptions on message attachments (#10705)

* [BREAK] Improvements to notifications logic (#10686)

[NEW] Improvements to notifications logic

* LingoHub Update 🚀 (#10691)

Manual push by LingoHub User: Rodrigo Nascimento.
Project: Rocket.Chat

Made with ❤️ by https://lingohub.com

* [NEW] Setup Wizard (#10523)

* welcome

* .

* stylelint

* new ilustration

* new layout

* .

* implements dicts

* added all setup wizard settings to wizard

* fix some setup wizard css

* fix setup wizard js linter errors

* remove old setup wizard templaates

* setup wizard has just one main tag now

* setup wizard registration fields filter is more readable

* add register server page to setup wizard

* fix setup wizard progress bar on RTL

* setup wizard is registering users

* Add setup wizard tests, routes and fix batch

* fix setup wizard tests

* add api test back

* comment rocketchat:google-natural-language package and remove logs

* add some translation keys for setup wizard

* remove old setup wizard template

* fix sort code on setup wizard

* fix getWizardSetting method

* new migration for setupwizard

* setup wizard setting migration

* fix setupwizard migration

* Update versions

* fix some setup wizard code logic

* fix setup wizard registerServer setting

* rever package-lock.json

* rever google-natural-language .npm folder

* rever meteor packages file and add setup wizard

* remove some default values from setup wizard settings

* add advocacy option on setup wizard industry setting

* change key name to setting to make the filter more readable on setup wizard

* change key name to setting to make the filter more readable on setup wizard

* add findWizardSettings on models Settings and handle errors of getWizardSettings method

* change setting to key to make the filter more readable on setup wizard

* fix setup wizard settings filter map

* remove serverHasAdminUser method on setup wizard

* fix setup wizard tests

* fix setup wizard final step workspace link

* fix setup wizard tests

* [FIX] Improve wordpress OAuth settings (#10724)

[NEW] Add more options for Wordpress OAuth configuration

* [NEW] Add /api/v1/channels.roles & /api/v1/groups.roles (#10607)

[NEW] Add REST endpoints `channels.roles` & `groups.roles`

* Changes source of text for announcement modal content (#10733)

[FIX] Regression: Empty content on announcement modal

* [FIX] Send a message when muted returns inconsistent result in chat.sendMessage (#10720)

* Change the message that returns, when a muted or blocked user tries to send a message using that endpoint

* Remove origin provide to sendMessage method, simply throwing an error when the user is muted or blocked

* More improvements on send notifications logic (#10736)

* Denormalize the User’s Highlights

* Find subscriptions for each type of notification

* Change email preference values

* General improvements

* Use just one query to get all subscriptions to notify

* Get hightlights from subscriptions on method notifyUsersOnMessage

* Keep compatibility of emailNotifications preference in subscription save

* Prevent group mentions on large rooms

* Bump version to 0.64.2-rc.0

* Fix notifications for direct messages (#10760)

* Add setting and expose prometheus on port 9100 (#10766)

* Add setting and expose prometheus on port 9100

* Prometheus: Add number of connected users

* Send statistics to prometheus

* Prometheus: Add methods, subscriptions and callbacks data

* Prometheus: Add metrics of REST API calls

* Prometheus: Record subscriptions time

* Add metrics to notifications

* Wizard improvements (#10776)

* Change wizard state from boolean to `pending`, `in_progress` or `completed`
* Add migration to change the wizard setting to new values and fix the old migration
* Make the wizard responsive for small screens
* Do not publish wizard settings to the client
* Do not show wizard for unlogged users after admin was created

* Add badge back to push notifications (#10779)

* Better metric for notifications (#10786)

* Improvement to push notifications on direct messages (#10788)

* Prometheus: Improve metric names (#10789)

* Bump version to 0.64.2-rc.1

* [FIX] Not escaping special chars on mentions (#10793)

* Regression: Fix wrong wizard field name (#10804)

* Prometheus: Fix notification metric (#10803)

* Regression: Autorun of wizard was not destroyed after completion (#10802)

* Prometheus: Add metric to track hooks time (#10798)

* Bump version to 0.64.2-rc.2

* Prevent setup wizard redirects (#10811)

* Prevent setup wizard redirects

* Fix setup wizard layout

* Prometheus: Track user agent

* Bump version to 0.64.2

@divergefx divergefx referenced this pull request May 25, 2018

Merged

Release 0.64.2 (#10812) #6

This was referenced May 27, 2018

rodrigok added a commit that referenced this pull request May 28, 2018

Release 0.65.0 (#10893)
* changed saml integration to store data on mongo instead of memory

* Update saml_server.js

*  [FIX] Fix create channel, when created a readonly channel (#10665)

[FIX] Channel owner was being set as muted when creating a read-only channel

* Correct links to Rocket.Chat documentation (#10674)

Correct links in README file

* Fix flickering on message-box emoji icon (#10678)

[FIX] Message box emoji icon was flickering when typing a text

* add `npm run postinstall` into build script (#10524)

Add `npm run postinstall` into example build script

* [FIX] Improve desktop notification formatting (#10445)

* Improved notification formatting

* Fixed lint issues

* Changed body format

* Fixed the problem of missing descriptions on message attachments (#10705)

* [BREAK] Improvements to notifications logic (#10686)

[NEW] Improvements to notifications logic

* LingoHub Update 🚀 (#10691)

Manual push by LingoHub User: Rodrigo Nascimento.
Project: Rocket.Chat

Made with ❤️ by https://lingohub.com

* [NEW] Setup Wizard (#10523)

* welcome

* .

* stylelint

* new ilustration

* new layout

* .

* implements dicts

* added all setup wizard settings to wizard

* fix some setup wizard css

* fix setup wizard js linter errors

* remove old setup wizard templaates

* setup wizard has just one main tag now

* setup wizard registration fields filter is more readable

* add register server page to setup wizard

* fix setup wizard progress bar on RTL

* setup wizard is registering users

* Add setup wizard tests, routes and fix batch

* fix setup wizard tests

* add api test back

* comment rocketchat:google-natural-language package and remove logs

* add some translation keys for setup wizard

* remove old setup wizard template

* fix sort code on setup wizard

* fix getWizardSetting method

* new migration for setupwizard

* setup wizard setting migration

* fix setupwizard migration

* Update versions

* fix some setup wizard code logic

* fix setup wizard registerServer setting

* rever package-lock.json

* rever google-natural-language .npm folder

* rever meteor packages file and add setup wizard

* remove some default values from setup wizard settings

* add advocacy option on setup wizard industry setting

* change key name to setting to make the filter more readable on setup wizard

* change key name to setting to make the filter more readable on setup wizard

* add findWizardSettings on models Settings and handle errors of getWizardSettings method

* change setting to key to make the filter more readable on setup wizard

* fix setup wizard settings filter map

* remove serverHasAdminUser method on setup wizard

* fix setup wizard tests

* fix setup wizard final step workspace link

* fix setup wizard tests

* [FIX] Improve wordpress OAuth settings (#10724)

[NEW] Add more options for Wordpress OAuth configuration

* [NEW] Add /api/v1/channels.roles & /api/v1/groups.roles (#10607)

[NEW] Add REST endpoints `channels.roles` & `groups.roles`

* Changes source of text for announcement modal content (#10733)

[FIX] Regression: Empty content on announcement modal

* [FIX] Send a message when muted returns inconsistent result in chat.sendMessage (#10720)

* Change the message that returns, when a muted or blocked user tries to send a message using that endpoint

* Remove origin provide to sendMessage method, simply throwing an error when the user is muted or blocked

* More improvements on send notifications logic (#10736)

* Denormalize the User’s Highlights

* Find subscriptions for each type of notification

* Change email preference values

* General improvements

* Use just one query to get all subscriptions to notify

* Get hightlights from subscriptions on method notifyUsersOnMessage

* Keep compatibility of emailNotifications preference in subscription save

* Prevent group mentions on large rooms

* Fix notifications for direct messages (#10760)

* Add setting and expose prometheus on port 9100 (#10766)

* Add setting and expose prometheus on port 9100

* Prometheus: Add number of connected users

* Send statistics to prometheus

* Prometheus: Add methods, subscriptions and callbacks data

* Prometheus: Add metrics of REST API calls

* Prometheus: Record subscriptions time

* Add metrics to notifications

* Wizard improvements (#10776)

* Change wizard state from boolean to `pending`, `in_progress` or `completed`
* Add migration to change the wizard setting to new values and fix the old migration
* Make the wizard responsive for small screens
* Do not publish wizard settings to the client
* Do not show wizard for unlogged users after admin was created

* Add badge back to push notifications (#10779)

* Better metric for notifications (#10786)

* Improvement to push notifications on direct messages (#10788)

* Prometheus: Improve metric names (#10789)

* [FIX] Not escaping special chars on mentions (#10793)

* Regression: Fix wrong wizard field name (#10804)

* Prometheus: Fix notification metric (#10803)

* Regression: Autorun of wizard was not destroyed after completion (#10802)

* Prometheus: Add metric to track hooks time (#10798)

* Prevent setup wizard redirects (#10811)

* Prevent setup wizard redirects

* Fix setup wizard layout

* Prometheus: Track user agent

* Stop caching private settings (#10625)

* [NEW] Add REST API endpoints `channels.setCustomFields` and `groups.setCustomFields` (#9733)

* Add channels.setCustomFields and groups.setCustomFields
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Delete unused `user` parameter
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Add tests for channels.setCustomFields and groups.setCustomFields
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix lint
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix lint
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Propogate setCustomFields to Subscriptions
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix semicolon
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* [NEW] Add REST API endpoints `channels.counters`, `groups.counters and `im.counters` (#9679)

* Add countVisibleByRoomIdBetweenTimestampsInclusive
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Add channels.counters, groups.counters, im.counters
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix spaces
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fixes
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Small fix
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Small fix #2
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Small fix #3
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Add channels.couters and groups.couters tests
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix tests, last message and unread message times
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix last message and unread message times for IM
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Add im.counters test
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix for msgs=0
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* [FIX] UI was not disabling the actions when users has had no permissions to create channels or add users to rooms (#10564)

* hide plus icon when user doesn't have both permission for create-c and create-p

* add helper to checkout two permissions set initial value for the room type

* hide the plus icon in directory if user doesn't have both create-c and creat-p permissions

* get permissions for create channels and groups

* check if user can add channel hide and groups, hide button based upon correct state

* prevent add user button from being hidden when user has permission add user to joined room

* removed the if statement and use short hand if else syntax

* better code for disabling checkbox in create room feature if user doesn't have permission

* add missing simicolon

* put canShowAddUsersButton into seperate function call function in events and helpers

* move the canShowAddUsersButton function to define before it's called

* fix bug that prevents the viewing of the keyboard shortcuts button in groups and direct messages

* fix permissions

* Add verification to authorize get images with X-user-id and X-auth-token (#10741)

* [FIX] Fix rest /me endpoint (#10662)

[NEW] REST API endpoint `/me` now returns all the settings, including the default values

* Add REST endpoint to mark messages as unread (#10778)

[NEW] Add REST endpoint `subscriptions.unread` to mark messages as unread

* [NEW] REST API endpoint `settings` now allow set colors and trigger actions (#10488)

* edited settings-api to execute button event

* FIx identation and defer await

* removing the defer and waiting for the method to execute

* Add Rest endpoint to get username suggestion (#10702)

* major dependencies update (#10661)

* Remove old translations (#10448)

* [FIX] disable/enable System Messages (#10704)

[FIX] Missing option to disable/enable System Messages

* [NEW] View pinned message's attachment (#10214)

* displays pinned file's attachments

* handles pin for replies and quotes

* fix review

* [FIX] Enabling "Collapse Embedded Media by Default" hides replies, quotes (#10427)

[FIX] Enabling `Collapse Embedded Media by Default` was hiding replies and quotes

* [NEW] lazy load image attachments (#10608)

[NEW] Lazy load image attachments

* Develop sync (#10815)

* add redhat dockerfile to master (#10408)

* add redhat dockerfile to master

* Add redhat dockerfile to set-version helper script

* Release 0.63.2 (#10476)

* [FIX] Even TypeErrors with SAML (#10475)

* Bump version to 0.63.2

* Added one2mail.info to default blocked domain list (#10218)

* [FIX] The 'channel.messages' REST API Endpoint error (#10485)

* Bump version to 0.63.3

* Add the history of v0.63.3

* Bump version to 0.64.0-rc.0

* Bump version to 0.64.0-rc.1

* Bump version to 0.64.0-rc.2

* Bump version to 0.64.0-rc.3

* Bump version to 0.64.0-rc.4

* Bump version to 0.64.0

* Bump version to 0.64.1

* Bump version to 0.65.0-develop

* [NEW] Return the result of the `/me` endpoint within the result of the `/login` endpoint (#10677)

* Add response of the /me endpoint to /login endpoint

* change underscore use to ES6 object destructuring

* The Livechat settings of the 'color' types  were not appearing correctly in the administrative area. (#10612)

* [NEW] Enable/disable Livechat registration form fields (#10584)

[NEW] Options to enable/disable each Livechat registration form field

* When a manager tried to send a message in a live room, an error was being displayed because there is no subscription for the manager. (#10663)

[FIX] Livechat managers were not being able to send messages in some cases

* [NEW] Implement a local password policy (#9857)

* Implement a local password policy

* Improve ValidatePasswordPolicy and create tests

* Validate user’s password on method saveUserProfile

* Fix typo PasswordPoliceClass

* Apps: Command Previews, Message and Room Removal Events (#10822)

* Add message and room removal events for Apps, fix a few other issues

* First very rough draft of the slash command preview

* Add the command preview rest api and make the previews selectable via the keyboard

* Add loading i18n

* Remove duplicated toLowerCase()

* Bump version to 0.65.0-rc.0

* Update room.html (#10715)

Fix working of cancel button in progress bar, while uploading file.

* [NEW] Add view-broadcast-member-list permission (#10753)

[NEW] Add permission `view-broadcast-member-list`

* [FIX] Livechat sidebar using "Unread on Top" user preference (#10734)

[FIX] User's preference `Unread on Top` wasn't working for LiveChat rooms

* Fix REST /me regression (#10833)

Fix: Regression in REST API endpoint `/me`

* [FIX] Broadcast/ Read only issues (#10835)

[FIX] Broadcast channels were showing reply button for deleted messages and generating wrong reply links some times

* Create temp folder if it doesn't exist (#10837)

* Fix: Regression on users avatar in admin pages (#10836)

* fix avatar admin lists

* Update messagePopup.js

* Bump version to 0.65.0-rc.1

* Fix: Clarify the wording of the release issue template (#10520)

* Clarify the wording of the release issue template

* Update release.md

* Regression: Make settings `Site_Name` and `Language` public again (#10848)

* Fix layout badge cutting on unread messages for long names (#10846)

[FIX] Layout badge cutting on unread messages for long names

* [FIX] Missing pagination fields in the response of REST /directory endpoint (#10840)

* Add missing pagination fields in the response of REST /directory endpoint

* Add support to choose sort field in REST directory

* Allow click on command previews and add setting to control apps enablement (#10853)

* Regression: Fix email notification preference not showing correct selected value (#10847)

* Fix email notification preference not showing correct selected value

Closes #10844

* Save email notification preferences correctly

Closes #10787

* Create room with user notification preferences

* Add back the uploaded file message on push notifications

* Bump version to 0.65.0-rc.2

* [FIX] The first users was not set as admin some times (#10878)

* Fixed a typo on error message for push token API (#10857)

Fix: typo on error message for push token API

* Adds flex-box to preview commands (#10883)

* Fix: Regression Lazyload fix shuffle avatars (#10887)

* fix avatar admin lists

* test to fix shuffle avatars

* LingoHub Update 🚀 (#10886)

Manual push by LingoHub User: Rodrigo Nascimento.
Project: Rocket.Chat

Made with ❤️ by https://lingohub.com

* [FIX] Manage apps layout (#10882)

Fix: Manage apps layout was a bit confuse

* Fixed slackbridge (#10875)

* Bump version to 0.65.0-rc.3

* Bump version to 0.65.0

rodrigok added a commit that referenced this pull request May 28, 2018

Merge master into develop & Set version to 0.66.0-develop (#10903)
* add redhat dockerfile to master (#10408)

* add redhat dockerfile to master

* Add redhat dockerfile to set-version helper script

* Release 0.63.2 (#10476)

* [FIX] Even TypeErrors with SAML (#10475)

* Bump version to 0.63.2

* Added one2mail.info to default blocked domain list (#10218)

* [FIX] The 'channel.messages' REST API Endpoint error (#10485)

* Bump version to 0.63.3

* Add the history of v0.63.3

* Bump version to 0.64.0-rc.0

* Bump version to 0.64.0-rc.1

* Bump version to 0.64.0-rc.2

* Bump version to 0.64.0-rc.3

* Bump version to 0.64.0-rc.4

* Bump version to 0.64.0

* Bump version to 0.64.1

* Release 0.64.2 (#10812)

* changed saml integration to store data on mongo instead of memory

* Update saml_server.js

*  [FIX] Fix create channel, when created a readonly channel (#10665)

[FIX] Channel owner was being set as muted when creating a read-only channel

* Correct links to Rocket.Chat documentation (#10674)

Correct links in README file

* Fix flickering on message-box emoji icon (#10678)

[FIX] Message box emoji icon was flickering when typing a text

* add `npm run postinstall` into build script (#10524)

Add `npm run postinstall` into example build script

* [FIX] Improve desktop notification formatting (#10445)

* Improved notification formatting

* Fixed lint issues

* Changed body format

* Fixed the problem of missing descriptions on message attachments (#10705)

* [BREAK] Improvements to notifications logic (#10686)

[NEW] Improvements to notifications logic

* LingoHub Update 🚀 (#10691)

Manual push by LingoHub User: Rodrigo Nascimento.
Project: Rocket.Chat

Made with ❤️ by https://lingohub.com

* [NEW] Setup Wizard (#10523)

* welcome

* .

* stylelint

* new ilustration

* new layout

* .

* implements dicts

* added all setup wizard settings to wizard

* fix some setup wizard css

* fix setup wizard js linter errors

* remove old setup wizard templaates

* setup wizard has just one main tag now

* setup wizard registration fields filter is more readable

* add register server page to setup wizard

* fix setup wizard progress bar on RTL

* setup wizard is registering users

* Add setup wizard tests, routes and fix batch

* fix setup wizard tests

* add api test back

* comment rocketchat:google-natural-language package and remove logs

* add some translation keys for setup wizard

* remove old setup wizard template

* fix sort code on setup wizard

* fix getWizardSetting method

* new migration for setupwizard

* setup wizard setting migration

* fix setupwizard migration

* Update versions

* fix some setup wizard code logic

* fix setup wizard registerServer setting

* rever package-lock.json

* rever google-natural-language .npm folder

* rever meteor packages file and add setup wizard

* remove some default values from setup wizard settings

* add advocacy option on setup wizard industry setting

* change key name to setting to make the filter more readable on setup wizard

* change key name to setting to make the filter more readable on setup wizard

* add findWizardSettings on models Settings and handle errors of getWizardSettings method

* change setting to key to make the filter more readable on setup wizard

* fix setup wizard settings filter map

* remove serverHasAdminUser method on setup wizard

* fix setup wizard tests

* fix setup wizard final step workspace link

* fix setup wizard tests

* [FIX] Improve wordpress OAuth settings (#10724)

[NEW] Add more options for Wordpress OAuth configuration

* [NEW] Add /api/v1/channels.roles & /api/v1/groups.roles (#10607)

[NEW] Add REST endpoints `channels.roles` & `groups.roles`

* Changes source of text for announcement modal content (#10733)

[FIX] Regression: Empty content on announcement modal

* [FIX] Send a message when muted returns inconsistent result in chat.sendMessage (#10720)

* Change the message that returns, when a muted or blocked user tries to send a message using that endpoint

* Remove origin provide to sendMessage method, simply throwing an error when the user is muted or blocked

* More improvements on send notifications logic (#10736)

* Denormalize the User’s Highlights

* Find subscriptions for each type of notification

* Change email preference values

* General improvements

* Use just one query to get all subscriptions to notify

* Get hightlights from subscriptions on method notifyUsersOnMessage

* Keep compatibility of emailNotifications preference in subscription save

* Prevent group mentions on large rooms

* Bump version to 0.64.2-rc.0

* Fix notifications for direct messages (#10760)

* Add setting and expose prometheus on port 9100 (#10766)

* Add setting and expose prometheus on port 9100

* Prometheus: Add number of connected users

* Send statistics to prometheus

* Prometheus: Add methods, subscriptions and callbacks data

* Prometheus: Add metrics of REST API calls

* Prometheus: Record subscriptions time

* Add metrics to notifications

* Wizard improvements (#10776)

* Change wizard state from boolean to `pending`, `in_progress` or `completed`
* Add migration to change the wizard setting to new values and fix the old migration
* Make the wizard responsive for small screens
* Do not publish wizard settings to the client
* Do not show wizard for unlogged users after admin was created

* Add badge back to push notifications (#10779)

* Better metric for notifications (#10786)

* Improvement to push notifications on direct messages (#10788)

* Prometheus: Improve metric names (#10789)

* Bump version to 0.64.2-rc.1

* [FIX] Not escaping special chars on mentions (#10793)

* Regression: Fix wrong wizard field name (#10804)

* Prometheus: Fix notification metric (#10803)

* Regression: Autorun of wizard was not destroyed after completion (#10802)

* Prometheus: Add metric to track hooks time (#10798)

* Bump version to 0.64.2-rc.2

* Prevent setup wizard redirects (#10811)

* Prevent setup wizard redirects

* Fix setup wizard layout

* Prometheus: Track user agent

* Bump version to 0.64.2

* Release 0.65.0 (#10893)

* changed saml integration to store data on mongo instead of memory

* Update saml_server.js

*  [FIX] Fix create channel, when created a readonly channel (#10665)

[FIX] Channel owner was being set as muted when creating a read-only channel

* Correct links to Rocket.Chat documentation (#10674)

Correct links in README file

* Fix flickering on message-box emoji icon (#10678)

[FIX] Message box emoji icon was flickering when typing a text

* add `npm run postinstall` into build script (#10524)

Add `npm run postinstall` into example build script

* [FIX] Improve desktop notification formatting (#10445)

* Improved notification formatting

* Fixed lint issues

* Changed body format

* Fixed the problem of missing descriptions on message attachments (#10705)

* [BREAK] Improvements to notifications logic (#10686)

[NEW] Improvements to notifications logic

* LingoHub Update 🚀 (#10691)

Manual push by LingoHub User: Rodrigo Nascimento.
Project: Rocket.Chat

Made with ❤️ by https://lingohub.com

* [NEW] Setup Wizard (#10523)

* welcome

* .

* stylelint

* new ilustration

* new layout

* .

* implements dicts

* added all setup wizard settings to wizard

* fix some setup wizard css

* fix setup wizard js linter errors

* remove old setup wizard templaates

* setup wizard has just one main tag now

* setup wizard registration fields filter is more readable

* add register server page to setup wizard

* fix setup wizard progress bar on RTL

* setup wizard is registering users

* Add setup wizard tests, routes and fix batch

* fix setup wizard tests

* add api test back

* comment rocketchat:google-natural-language package and remove logs

* add some translation keys for setup wizard

* remove old setup wizard template

* fix sort code on setup wizard

* fix getWizardSetting method

* new migration for setupwizard

* setup wizard setting migration

* fix setupwizard migration

* Update versions

* fix some setup wizard code logic

* fix setup wizard registerServer setting

* rever package-lock.json

* rever google-natural-language .npm folder

* rever meteor packages file and add setup wizard

* remove some default values from setup wizard settings

* add advocacy option on setup wizard industry setting

* change key name to setting to make the filter more readable on setup wizard

* change key name to setting to make the filter more readable on setup wizard

* add findWizardSettings on models Settings and handle errors of getWizardSettings method

* change setting to key to make the filter more readable on setup wizard

* fix setup wizard settings filter map

* remove serverHasAdminUser method on setup wizard

* fix setup wizard tests

* fix setup wizard final step workspace link

* fix setup wizard tests

* [FIX] Improve wordpress OAuth settings (#10724)

[NEW] Add more options for Wordpress OAuth configuration

* [NEW] Add /api/v1/channels.roles & /api/v1/groups.roles (#10607)

[NEW] Add REST endpoints `channels.roles` & `groups.roles`

* Changes source of text for announcement modal content (#10733)

[FIX] Regression: Empty content on announcement modal

* [FIX] Send a message when muted returns inconsistent result in chat.sendMessage (#10720)

* Change the message that returns, when a muted or blocked user tries to send a message using that endpoint

* Remove origin provide to sendMessage method, simply throwing an error when the user is muted or blocked

* More improvements on send notifications logic (#10736)

* Denormalize the User’s Highlights

* Find subscriptions for each type of notification

* Change email preference values

* General improvements

* Use just one query to get all subscriptions to notify

* Get hightlights from subscriptions on method notifyUsersOnMessage

* Keep compatibility of emailNotifications preference in subscription save

* Prevent group mentions on large rooms

* Fix notifications for direct messages (#10760)

* Add setting and expose prometheus on port 9100 (#10766)

* Add setting and expose prometheus on port 9100

* Prometheus: Add number of connected users

* Send statistics to prometheus

* Prometheus: Add methods, subscriptions and callbacks data

* Prometheus: Add metrics of REST API calls

* Prometheus: Record subscriptions time

* Add metrics to notifications

* Wizard improvements (#10776)

* Change wizard state from boolean to `pending`, `in_progress` or `completed`
* Add migration to change the wizard setting to new values and fix the old migration
* Make the wizard responsive for small screens
* Do not publish wizard settings to the client
* Do not show wizard for unlogged users after admin was created

* Add badge back to push notifications (#10779)

* Better metric for notifications (#10786)

* Improvement to push notifications on direct messages (#10788)

* Prometheus: Improve metric names (#10789)

* [FIX] Not escaping special chars on mentions (#10793)

* Regression: Fix wrong wizard field name (#10804)

* Prometheus: Fix notification metric (#10803)

* Regression: Autorun of wizard was not destroyed after completion (#10802)

* Prometheus: Add metric to track hooks time (#10798)

* Prevent setup wizard redirects (#10811)

* Prevent setup wizard redirects

* Fix setup wizard layout

* Prometheus: Track user agent

* Stop caching private settings (#10625)

* [NEW] Add REST API endpoints `channels.setCustomFields` and `groups.setCustomFields` (#9733)

* Add channels.setCustomFields and groups.setCustomFields
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Delete unused `user` parameter
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Add tests for channels.setCustomFields and groups.setCustomFields
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix lint
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix lint
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Propogate setCustomFields to Subscriptions
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix semicolon
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* [NEW] Add REST API endpoints `channels.counters`, `groups.counters and `im.counters` (#9679)

* Add countVisibleByRoomIdBetweenTimestampsInclusive
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Add channels.counters, groups.counters, im.counters
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix spaces
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fixes
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Small fix
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Small fix #2
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Small fix #3
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Add channels.couters and groups.couters tests
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix tests, last message and unread message times
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix last message and unread message times for IM
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Add im.counters test
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix for msgs=0
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* [FIX] UI was not disabling the actions when users has had no permissions to create channels or add users to rooms (#10564)

* hide plus icon when user doesn't have both permission for create-c and create-p

* add helper to checkout two permissions set initial value for the room type

* hide the plus icon in directory if user doesn't have both create-c and creat-p permissions

* get permissions for create channels and groups

* check if user can add channel hide and groups, hide button based upon correct state

* prevent add user button from being hidden when user has permission add user to joined room

* removed the if statement and use short hand if else syntax

* better code for disabling checkbox in create room feature if user doesn't have permission

* add missing simicolon

* put canShowAddUsersButton into seperate function call function in events and helpers

* move the canShowAddUsersButton function to define before it's called

* fix bug that prevents the viewing of the keyboard shortcuts button in groups and direct messages

* fix permissions

* Add verification to authorize get images with X-user-id and X-auth-token (#10741)

* [FIX] Fix rest /me endpoint (#10662)

[NEW] REST API endpoint `/me` now returns all the settings, including the default values

* Add REST endpoint to mark messages as unread (#10778)

[NEW] Add REST endpoint `subscriptions.unread` to mark messages as unread

* [NEW] REST API endpoint `settings` now allow set colors and trigger actions (#10488)

* edited settings-api to execute button event

* FIx identation and defer await

* removing the defer and waiting for the method to execute

* Add Rest endpoint to get username suggestion (#10702)

* major dependencies update (#10661)

* Remove old translations (#10448)

* [FIX] disable/enable System Messages (#10704)

[FIX] Missing option to disable/enable System Messages

* [NEW] View pinned message's attachment (#10214)

* displays pinned file's attachments

* handles pin for replies and quotes

* fix review

* [FIX] Enabling "Collapse Embedded Media by Default" hides replies, quotes (#10427)

[FIX] Enabling `Collapse Embedded Media by Default` was hiding replies and quotes

* [NEW] lazy load image attachments (#10608)

[NEW] Lazy load image attachments

* Develop sync (#10815)

* add redhat dockerfile to master (#10408)

* add redhat dockerfile to master

* Add redhat dockerfile to set-version helper script

* Release 0.63.2 (#10476)

* [FIX] Even TypeErrors with SAML (#10475)

* Bump version to 0.63.2

* Added one2mail.info to default blocked domain list (#10218)

* [FIX] The 'channel.messages' REST API Endpoint error (#10485)

* Bump version to 0.63.3

* Add the history of v0.63.3

* Bump version to 0.64.0-rc.0

* Bump version to 0.64.0-rc.1

* Bump version to 0.64.0-rc.2

* Bump version to 0.64.0-rc.3

* Bump version to 0.64.0-rc.4

* Bump version to 0.64.0

* Bump version to 0.64.1

* Bump version to 0.65.0-develop

* [NEW] Return the result of the `/me` endpoint within the result of the `/login` endpoint (#10677)

* Add response of the /me endpoint to /login endpoint

* change underscore use to ES6 object destructuring

* The Livechat settings of the 'color' types  were not appearing correctly in the administrative area. (#10612)

* [NEW] Enable/disable Livechat registration form fields (#10584)

[NEW] Options to enable/disable each Livechat registration form field

* When a manager tried to send a message in a live room, an error was being displayed because there is no subscription for the manager. (#10663)

[FIX] Livechat managers were not being able to send messages in some cases

* [NEW] Implement a local password policy (#9857)

* Implement a local password policy

* Improve ValidatePasswordPolicy and create tests

* Validate user’s password on method saveUserProfile

* Fix typo PasswordPoliceClass

* Apps: Command Previews, Message and Room Removal Events (#10822)

* Add message and room removal events for Apps, fix a few other issues

* First very rough draft of the slash command preview

* Add the command preview rest api and make the previews selectable via the keyboard

* Add loading i18n

* Remove duplicated toLowerCase()

* Bump version to 0.65.0-rc.0

* Update room.html (#10715)

Fix working of cancel button in progress bar, while uploading file.

* [NEW] Add view-broadcast-member-list permission (#10753)

[NEW] Add permission `view-broadcast-member-list`

* [FIX] Livechat sidebar using "Unread on Top" user preference (#10734)

[FIX] User's preference `Unread on Top` wasn't working for LiveChat rooms

* Fix REST /me regression (#10833)

Fix: Regression in REST API endpoint `/me`

* [FIX] Broadcast/ Read only issues (#10835)

[FIX] Broadcast channels were showing reply button for deleted messages and generating wrong reply links some times

* Create temp folder if it doesn't exist (#10837)

* Fix: Regression on users avatar in admin pages (#10836)

* fix avatar admin lists

* Update messagePopup.js

* Bump version to 0.65.0-rc.1

* Fix: Clarify the wording of the release issue template (#10520)

* Clarify the wording of the release issue template

* Update release.md

* Regression: Make settings `Site_Name` and `Language` public again (#10848)

* Fix layout badge cutting on unread messages for long names (#10846)

[FIX] Layout badge cutting on unread messages for long names

* [FIX] Missing pagination fields in the response of REST /directory endpoint (#10840)

* Add missing pagination fields in the response of REST /directory endpoint

* Add support to choose sort field in REST directory

* Allow click on command previews and add setting to control apps enablement (#10853)

* Regression: Fix email notification preference not showing correct selected value (#10847)

* Fix email notification preference not showing correct selected value

Closes #10844

* Save email notification preferences correctly

Closes #10787

* Create room with user notification preferences

* Add back the uploaded file message on push notifications

* Bump version to 0.65.0-rc.2

* [FIX] The first users was not set as admin some times (#10878)

* Fixed a typo on error message for push token API (#10857)

Fix: typo on error message for push token API

* Adds flex-box to preview commands (#10883)

* Fix: Regression Lazyload fix shuffle avatars (#10887)

* fix avatar admin lists

* test to fix shuffle avatars

* LingoHub Update 🚀 (#10886)

Manual push by LingoHub User: Rodrigo Nascimento.
Project: Rocket.Chat

Made with ❤️ by https://lingohub.com

* [FIX] Manage apps layout (#10882)

Fix: Manage apps layout was a bit confuse

* Fixed slackbridge (#10875)

* Bump version to 0.65.0-rc.3

* Bump version to 0.65.0

* Bump version to 0.66.0-develop

* Update HISTORY.md

rodrigok added a commit that referenced this pull request May 28, 2018

Develop sync2 (#10908)
* add redhat dockerfile to master (#10408)

* add redhat dockerfile to master

* Add redhat dockerfile to set-version helper script

* Release 0.63.2 (#10476)

* [FIX] Even TypeErrors with SAML (#10475)

* Bump version to 0.63.2

* Added one2mail.info to default blocked domain list (#10218)

* [FIX] The 'channel.messages' REST API Endpoint error (#10485)

* Bump version to 0.63.3

* Add the history of v0.63.3

* Bump version to 0.64.0-rc.0

* Bump version to 0.64.0-rc.1

* Bump version to 0.64.0-rc.2

* Bump version to 0.64.0-rc.3

* Bump version to 0.64.0-rc.4

* Bump version to 0.64.0

* Bump version to 0.64.1

* Release 0.64.2 (#10812)

* changed saml integration to store data on mongo instead of memory

* Update saml_server.js

*  [FIX] Fix create channel, when created a readonly channel (#10665)

[FIX] Channel owner was being set as muted when creating a read-only channel

* Correct links to Rocket.Chat documentation (#10674)

Correct links in README file

* Fix flickering on message-box emoji icon (#10678)

[FIX] Message box emoji icon was flickering when typing a text

* add `npm run postinstall` into build script (#10524)

Add `npm run postinstall` into example build script

* [FIX] Improve desktop notification formatting (#10445)

* Improved notification formatting

* Fixed lint issues

* Changed body format

* Fixed the problem of missing descriptions on message attachments (#10705)

* [BREAK] Improvements to notifications logic (#10686)

[NEW] Improvements to notifications logic

* LingoHub Update 🚀 (#10691)

Manual push by LingoHub User: Rodrigo Nascimento.
Project: Rocket.Chat

Made with ❤️ by https://lingohub.com

* [NEW] Setup Wizard (#10523)

* welcome

* .

* stylelint

* new ilustration

* new layout

* .

* implements dicts

* added all setup wizard settings to wizard

* fix some setup wizard css

* fix setup wizard js linter errors

* remove old setup wizard templaates

* setup wizard has just one main tag now

* setup wizard registration fields filter is more readable

* add register server page to setup wizard

* fix setup wizard progress bar on RTL

* setup wizard is registering users

* Add setup wizard tests, routes and fix batch

* fix setup wizard tests

* add api test back

* comment rocketchat:google-natural-language package and remove logs

* add some translation keys for setup wizard

* remove old setup wizard template

* fix sort code on setup wizard

* fix getWizardSetting method

* new migration for setupwizard

* setup wizard setting migration

* fix setupwizard migration

* Update versions

* fix some setup wizard code logic

* fix setup wizard registerServer setting

* rever package-lock.json

* rever google-natural-language .npm folder

* rever meteor packages file and add setup wizard

* remove some default values from setup wizard settings

* add advocacy option on setup wizard industry setting

* change key name to setting to make the filter more readable on setup wizard

* change key name to setting to make the filter more readable on setup wizard

* add findWizardSettings on models Settings and handle errors of getWizardSettings method

* change setting to key to make the filter more readable on setup wizard

* fix setup wizard settings filter map

* remove serverHasAdminUser method on setup wizard

* fix setup wizard tests

* fix setup wizard final step workspace link

* fix setup wizard tests

* [FIX] Improve wordpress OAuth settings (#10724)

[NEW] Add more options for Wordpress OAuth configuration

* [NEW] Add /api/v1/channels.roles & /api/v1/groups.roles (#10607)

[NEW] Add REST endpoints `channels.roles` & `groups.roles`

* Changes source of text for announcement modal content (#10733)

[FIX] Regression: Empty content on announcement modal

* [FIX] Send a message when muted returns inconsistent result in chat.sendMessage (#10720)

* Change the message that returns, when a muted or blocked user tries to send a message using that endpoint

* Remove origin provide to sendMessage method, simply throwing an error when the user is muted or blocked

* More improvements on send notifications logic (#10736)

* Denormalize the User’s Highlights

* Find subscriptions for each type of notification

* Change email preference values

* General improvements

* Use just one query to get all subscriptions to notify

* Get hightlights from subscriptions on method notifyUsersOnMessage

* Keep compatibility of emailNotifications preference in subscription save

* Prevent group mentions on large rooms

* Bump version to 0.64.2-rc.0

* Fix notifications for direct messages (#10760)

* Add setting and expose prometheus on port 9100 (#10766)

* Add setting and expose prometheus on port 9100

* Prometheus: Add number of connected users

* Send statistics to prometheus

* Prometheus: Add methods, subscriptions and callbacks data

* Prometheus: Add metrics of REST API calls

* Prometheus: Record subscriptions time

* Add metrics to notifications

* Wizard improvements (#10776)

* Change wizard state from boolean to `pending`, `in_progress` or `completed`
* Add migration to change the wizard setting to new values and fix the old migration
* Make the wizard responsive for small screens
* Do not publish wizard settings to the client
* Do not show wizard for unlogged users after admin was created

* Add badge back to push notifications (#10779)

* Better metric for notifications (#10786)

* Improvement to push notifications on direct messages (#10788)

* Prometheus: Improve metric names (#10789)

* Bump version to 0.64.2-rc.1

* [FIX] Not escaping special chars on mentions (#10793)

* Regression: Fix wrong wizard field name (#10804)

* Prometheus: Fix notification metric (#10803)

* Regression: Autorun of wizard was not destroyed after completion (#10802)

* Prometheus: Add metric to track hooks time (#10798)

* Bump version to 0.64.2-rc.2

* Prevent setup wizard redirects (#10811)

* Prevent setup wizard redirects

* Fix setup wizard layout

* Prometheus: Track user agent

* Bump version to 0.64.2

* Bump version to 0.65.0-rc.0

* Bump version to 0.65.0-rc.1

* Bump version to 0.65.0-rc.2

* Bump version to 0.65.0-rc.3

* Bump version to 0.65.0

* Release 0.65.0 (#10893)

* changed saml integration to store data on mongo instead of memory

* Update saml_server.js

*  [FIX] Fix create channel, when created a readonly channel (#10665)

[FIX] Channel owner was being set as muted when creating a read-only channel

* Correct links to Rocket.Chat documentation (#10674)

Correct links in README file

* Fix flickering on message-box emoji icon (#10678)

[FIX] Message box emoji icon was flickering when typing a text

* add `npm run postinstall` into build script (#10524)

Add `npm run postinstall` into example build script

* [FIX] Improve desktop notification formatting (#10445)

* Improved notification formatting

* Fixed lint issues

* Changed body format

* Fixed the problem of missing descriptions on message attachments (#10705)

* [BREAK] Improvements to notifications logic (#10686)

[NEW] Improvements to notifications logic

* LingoHub Update 🚀 (#10691)

Manual push by LingoHub User: Rodrigo Nascimento.
Project: Rocket.Chat

Made with ❤️ by https://lingohub.com

* [NEW] Setup Wizard (#10523)

* welcome

* .

* stylelint

* new ilustration

* new layout

* .

* implements dicts

* added all setup wizard settings to wizard

* fix some setup wizard css

* fix setup wizard js linter errors

* remove old setup wizard templaates

* setup wizard has just one main tag now

* setup wizard registration fields filter is more readable

* add register server page to setup wizard

* fix setup wizard progress bar on RTL

* setup wizard is registering users

* Add setup wizard tests, routes and fix batch

* fix setup wizard tests

* add api test back

* comment rocketchat:google-natural-language package and remove logs

* add some translation keys for setup wizard

* remove old setup wizard template

* fix sort code on setup wizard

* fix getWizardSetting method

* new migration for setupwizard

* setup wizard setting migration

* fix setupwizard migration

* Update versions

* fix some setup wizard code logic

* fix setup wizard registerServer setting

* rever package-lock.json

* rever google-natural-language .npm folder

* rever meteor packages file and add setup wizard

* remove some default values from setup wizard settings

* add advocacy option on setup wizard industry setting

* change key name to setting to make the filter more readable on setup wizard

* change key name to setting to make the filter more readable on setup wizard

* add findWizardSettings on models Settings and handle errors of getWizardSettings method

* change setting to key to make the filter more readable on setup wizard

* fix setup wizard settings filter map

* remove serverHasAdminUser method on setup wizard

* fix setup wizard tests

* fix setup wizard final step workspace link

* fix setup wizard tests

* [FIX] Improve wordpress OAuth settings (#10724)

[NEW] Add more options for Wordpress OAuth configuration

* [NEW] Add /api/v1/channels.roles & /api/v1/groups.roles (#10607)

[NEW] Add REST endpoints `channels.roles` & `groups.roles`

* Changes source of text for announcement modal content (#10733)

[FIX] Regression: Empty content on announcement modal

* [FIX] Send a message when muted returns inconsistent result in chat.sendMessage (#10720)

* Change the message that returns, when a muted or blocked user tries to send a message using that endpoint

* Remove origin provide to sendMessage method, simply throwing an error when the user is muted or blocked

* More improvements on send notifications logic (#10736)

* Denormalize the User’s Highlights

* Find subscriptions for each type of notification

* Change email preference values

* General improvements

* Use just one query to get all subscriptions to notify

* Get hightlights from subscriptions on method notifyUsersOnMessage

* Keep compatibility of emailNotifications preference in subscription save

* Prevent group mentions on large rooms

* Fix notifications for direct messages (#10760)

* Add setting and expose prometheus on port 9100 (#10766)

* Add setting and expose prometheus on port 9100

* Prometheus: Add number of connected users

* Send statistics to prometheus

* Prometheus: Add methods, subscriptions and callbacks data

* Prometheus: Add metrics of REST API calls

* Prometheus: Record subscriptions time

* Add metrics to notifications

* Wizard improvements (#10776)

* Change wizard state from boolean to `pending`, `in_progress` or `completed`
* Add migration to change the wizard setting to new values and fix the old migration
* Make the wizard responsive for small screens
* Do not publish wizard settings to the client
* Do not show wizard for unlogged users after admin was created

* Add badge back to push notifications (#10779)

* Better metric for notifications (#10786)

* Improvement to push notifications on direct messages (#10788)

* Prometheus: Improve metric names (#10789)

* [FIX] Not escaping special chars on mentions (#10793)

* Regression: Fix wrong wizard field name (#10804)

* Prometheus: Fix notification metric (#10803)

* Regression: Autorun of wizard was not destroyed after completion (#10802)

* Prometheus: Add metric to track hooks time (#10798)

* Prevent setup wizard redirects (#10811)

* Prevent setup wizard redirects

* Fix setup wizard layout

* Prometheus: Track user agent

* Stop caching private settings (#10625)

* [NEW] Add REST API endpoints `channels.setCustomFields` and `groups.setCustomFields` (#9733)

* Add channels.setCustomFields and groups.setCustomFields
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Delete unused `user` parameter
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Add tests for channels.setCustomFields and groups.setCustomFields
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix lint
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix lint
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Propogate setCustomFields to Subscriptions
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix semicolon
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* [NEW] Add REST API endpoints `channels.counters`, `groups.counters and `im.counters` (#9679)

* Add countVisibleByRoomIdBetweenTimestampsInclusive
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Add channels.counters, groups.counters, im.counters
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix spaces
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fixes
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Small fix
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Small fix #2
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Small fix #3
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Add channels.couters and groups.couters tests
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix tests, last message and unread message times
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix last message and unread message times for IM
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Add im.counters test
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* Fix for msgs=0
Signed-off-by: Eugene Bolshakov <pub@relvarsoft.com>

* [FIX] UI was not disabling the actions when users has had no permissions to create channels or add users to rooms (#10564)

* hide plus icon when user doesn't have both permission for create-c and create-p

* add helper to checkout two permissions set initial value for the room type

* hide the plus icon in directory if user doesn't have both create-c and creat-p permissions

* get permissions for create channels and groups

* check if user can add channel hide and groups, hide button based upon correct state

* prevent add user button from being hidden when user has permission add user to joined room

* removed the if statement and use short hand if else syntax

* better code for disabling checkbox in create room feature if user doesn't have permission

* add missing simicolon

* put canShowAddUsersButton into seperate function call function in events and helpers

* move the canShowAddUsersButton function to define before it's called

* fix bug that prevents the viewing of the keyboard shortcuts button in groups and direct messages

* fix permissions

* Add verification to authorize get images with X-user-id and X-auth-token (#10741)

* [FIX] Fix rest /me endpoint (#10662)

[NEW] REST API endpoint `/me` now returns all the settings, including the default values

* Add REST endpoint to mark messages as unread (#10778)

[NEW] Add REST endpoint `subscriptions.unread` to mark messages as unread

* [NEW] REST API endpoint `settings` now allow set colors and trigger actions (#10488)

* edited settings-api to execute button event

* FIx identation and defer await

* removing the defer and waiting for the method to execute

* Add Rest endpoint to get username suggestion (#10702)

* major dependencies update (#10661)

* Remove old translations (#10448)

* [FIX] disable/enable System Messages (#10704)

[FIX] Missing option to disable/enable System Messages

* [NEW] View pinned message's attachment (#10214)

* displays pinned file's attachments

* handles pin for replies and quotes

* fix review

* [FIX] Enabling "Collapse Embedded Media by Default" hides replies, quotes (#10427)

[FIX] Enabling `Collapse Embedded Media by Default` was hiding replies and quotes

* [NEW] lazy load image attachments (#10608)

[NEW] Lazy load image attachments

* Develop sync (#10815)

* add redhat dockerfile to master (#10408)

* add redhat dockerfile to master

* Add redhat dockerfile to set-version helper script

* Release 0.63.2 (#10476)

* [FIX] Even TypeErrors with SAML (#10475)

* Bump version to 0.63.2

* Added one2mail.info to default blocked domain list (#10218)

* [FIX] The 'channel.messages' REST API Endpoint error (#10485)

* Bump version to 0.63.3

* Add the history of v0.63.3

* Bump version to 0.64.0-rc.0

* Bump version to 0.64.0-rc.1

* Bump version to 0.64.0-rc.2

* Bump version to 0.64.0-rc.3

* Bump version to 0.64.0-rc.4

* Bump version to 0.64.0

* Bump version to 0.64.1

* Bump version to 0.65.0-develop

* [NEW] Return the result of the `/me` endpoint within the result of the `/login` endpoint (#10677)

* Add response of the /me endpoint to /login endpoint

* change underscore use to ES6 object destructuring

* The Livechat settings of the 'color' types  were not appearing correctly in the administrative area. (#10612)

* [NEW] Enable/disable Livechat registration form fields (#10584)

[NEW] Options to enable/disable each Livechat registration form field

* When a manager tried to send a message in a live room, an error was being displayed because there is no subscription for the manager. (#10663)

[FIX] Livechat managers were not being able to send messages in some cases

* [NEW] Implement a local password policy (#9857)

* Implement a local password policy

* Improve ValidatePasswordPolicy and create tests

* Validate user’s password on method saveUserProfile

* Fix typo PasswordPoliceClass

* Apps: Command Previews, Message and Room Removal Events (#10822)

* Add message and room removal events for Apps, fix a few other issues

* First very rough draft of the slash command preview

* Add the command preview rest api and make the previews selectable via the keyboard

* Add loading i18n

* Remove duplicated toLowerCase()

* Bump version to 0.65.0-rc.0

* Update room.html (#10715)

Fix working of cancel button in progress bar, while uploading file.

* [NEW] Add view-broadcast-member-list permission (#10753)

[NEW] Add permission `view-broadcast-member-list`

* [FIX] Livechat sidebar using "Unread on Top" user preference (#10734)

[FIX] User's preference `Unread on Top` wasn't working for LiveChat rooms

* Fix REST /me regression (#10833)

Fix: Regression in REST API endpoint `/me`

* [FIX] Broadcast/ Read only issues (#10835)

[FIX] Broadcast channels were showing reply button for deleted messages and generating wrong reply links some times

* Create temp folder if it doesn't exist (#10837)

* Fix: Regression on users avatar in admin pages (#10836)

* fix avatar admin lists

* Update messagePopup.js

* Bump version to 0.65.0-rc.1

* Fix: Clarify the wording of the release issue template (#10520)

* Clarify the wording of the release issue template

* Update release.md

* Regression: Make settings `Site_Name` and `Language` public again (#10848)

* Fix layout badge cutting on unread messages for long names (#10846)

[FIX] Layout badge cutting on unread messages for long names

* [FIX] Missing pagination fields in the response of REST /directory endpoint (#10840)

* Add missing pagination fields in the response of REST /directory endpoint

* Add support to choose sort field in REST directory

* Allow click on command previews and add setting to control apps enablement (#10853)

* Regression: Fix email notification preference not showing correct selected value (#10847)

* Fix email notification preference not showing correct selected value

Closes #10844

* Save email notification preferences correctly

Closes #10787

* Create room with user notification preferences

* Add back the uploaded file message on push notifications

* Bump version to 0.65.0-rc.2

* [FIX] The first users was not set as admin some times (#10878)

* Fixed a typo on error message for push token API (#10857)

Fix: typo on error message for push token API

* Adds flex-box to preview commands (#10883)

* Fix: Regression Lazyload fix shuffle avatars (#10887)

* fix avatar admin lists

* test to fix shuffle avatars

* LingoHub Update 🚀 (#10886)

Manual push by LingoHub User: Rodrigo Nascimento.
Project: Rocket.Chat

Made with ❤️ by https://lingohub.com

* [FIX] Manage apps layout (#10882)

Fix: Manage apps layout was a bit confuse

* Fixed slackbridge (#10875)

* Bump version to 0.65.0-rc.3

* Bump version to 0.65.0
@erhan-

This comment has been minimized.

Contributor

erhan- commented Jun 6, 2018

Why is there no security notice about the vulnerability in the blog post?
https://rocket.chat/2018/05/30/0-65-0-release/

It looks like the developers are trying to hide the fact that there was a security vulnerability. This is not acceptable and hurts the principle of responsible disclosure.

@rodrigok

This comment has been minimized.

Member

rodrigok commented Jun 6, 2018

HI @erhan-

We do not disclose security fixes as soon we have them fixed to prevent bad guys to exploit them.

We are currently working on our discloser polices document for security fixes and we will share it here as soon we have it finished.

Let me know if you want to contribute with ideas to our document, if you do please contact me at https://open.rocket.chat/direct/rodrigo.nascimento

Thanks

@erhan-

This comment has been minimized.

Contributor

erhan- commented Jul 11, 2018

That's a good approach. But not disclosing at all is a total no go and the reason why I don't use RC anymore. Anyone who tracks the issues was able to see this vulnerability. The normal enduser not.

Following CVE was assigned: CVE-2018-13878
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13878

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment