RocketChat · felipe-rod123 · Jul 28, 2022 · Aug 2, 2022 · Aug 2, 2022 · Aug 2, 2022
diff --git a/apps/meteor/app/api/server/v1/users.ts b/apps/meteor/app/api/server/v1/users.ts
@@ -8,6 +8,7 @@ import {
 	isUsersListTeamsProps,
 	isUsersAutocompleteProps,
 	isUsersSetAvatarProps,
+	isUsersSetAvatarFromServiceProps,
 	isUsersUpdateParamsPOST,
 	isUsersUpdateOwnBasicInfoParamsPOST,
 	isUsersSetPreferencesParamsPOST,
@@ -226,6 +227,43 @@ API.v1.addRoute(
 	},
 );
 
+API.v1.addRoute(
+	'users.setAvatarFromService',
+	{
+		authRequired: true,
+		validateParams: isUsersSetAvatarFromServiceProps,
+	},
+	{
+		async post() {
+			const fields = this.bodyParams;
+			if (!settings.get('Accounts_AllowUserAvatarChange')) {
+				throw new Meteor.Error('error-not-allowed', 'Change avatar is not allowed', {
+					method: 'users.setAvatar',
+				});
+			}
+
+			const canEditOtherUserAvatar = hasPermission(this.userId, 'edit-other-user-avatar');
+
+			const user = ((): IUser | undefined => {
+				if (this.isUserFromParams()) {
+					return Meteor.users.findOne(this.userId) as IUser;
+				}
+				if (canEditOtherUserAvatar) {
+					return this.getUserFromParams();
+				}
+			})();
+
+			if (!user) {
+				return API.v1.unauthorized();
+			}
+
+			setUserAvatar(user, fields.blob, fields.contentType, fields.service);
+
+			return API.v1.success();
+		},
+	},
+);
+
 API.v1.addRoute(
 	'users.create',
 	{ authRequired: true, validateParams: isUserCreateParamsPOST },

@@ -1,5 +1,5 @@
 import { AvatarObject, AvatarServiceObject, AvatarReset, AvatarUrlObj, IUser } from '@rocket.chat/core-typings';
-import { useToastMessageDispatch, useMethod, useTranslation } from '@rocket.chat/ui-contexts';
+import { useEndpoint, useToastMessageDispatch, useTranslation } from '@rocket.chat/ui-contexts';
 import { useMemo, useCallback } from 'react';
 
 import { useEndpointAction } from './useEndpointAction';
@@ -11,15 +11,17 @@ const isServiceObject = (avatarObj: AvatarObject): avatarObj is AvatarServiceObj
 const isAvatarUrl = (avatarObj: AvatarObject): avatarObj is AvatarUrlObj =>
 	!isAvatarReset(avatarObj) && typeof avatarObj === 'object' && 'service' && 'avatarUrl' in avatarObj;
 
+type AvatarObjectWithString = AvatarObject & { blob: string };
+
 export const useUpdateAvatar = (
-	avatarObj: AvatarObject,
+	avatarObj: AvatarObjectWithString,
 	userId: IUser['_id'],
 ): (() => Promise<{ success: boolean } | null | undefined>) => {
 	const t = useTranslation();
 	const avatarUrl = isAvatarUrl(avatarObj) ? avatarObj.avatarUrl : '';
 
 	const successText = t('Avatar_changed_successfully');
-	const setAvatarFromService = useMethod('setAvatarFromService');
+	const setAvatarFromService = useEndpoint('POST', '/v1/users.setAvatarFromService');
 
 	const dispatchToastMessage = useToastMessageDispatch();
 
@@ -50,9 +52,8 @@ export const useUpdateAvatar = (
 			return saveAvatarUrlAction();
 		}
 		if (isServiceObject(avatarObj)) {
-			const { blob, contentType, service } = avatarObj;
 			try {
-				await setAvatarFromService(blob, contentType, service);
+				await setAvatarFromService(avatarObj);
 				dispatchToastMessage({ type: 'success', message: successText });
 			} catch (error) {
 				dispatchToastMessage({ type: 'error', message: error });

@@ -3,12 +3,14 @@ import { Match, check } from 'meteor/check';
 import { DDPRateLimiter } from 'meteor/ddp-rate-limiter';
 
 import { settings } from '../../app/settings/server';
-import { setUserAvatar } from '../../app/lib';
+import { setUserAvatar } from '../../app/lib/server';
 import { Users } from '../../app/models/server';
 import { hasPermission } from '../../app/authorization/server';
+import { methodDeprecationLogger } from '../../app/lib/server/lib/deprecationWarningLogger';
 
 Meteor.methods({
-	setAvatarFromService(dataURI, contentType, service, userId) {
+	setAvatarFromService(dataURI: string, contentType: string, service: string, userId: string) {
+		methodDeprecationLogger.warn('setAvatarFromService will be deprecated in future versions of Rocket.Chat');
 		check(dataURI, String);
 		check(contentType, Match.Optional(String));
 		check(service, Match.Optional(String));
@@ -29,7 +31,8 @@ Meteor.methods({
 		let user;
 
 		if (userId && userId !== Meteor.userId()) {
-			if (!hasPermission(Meteor.userId(), 'edit-other-user-avatar')) {
+			// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+			if (!hasPermission(Meteor.userId()!, 'edit-other-user-avatar')) {
 				throw new Meteor.Error('error-unauthorized', 'Unauthorized', {
 					method: 'setAvatarFromService',
 				});

diff --git a/apps/meteor/tests/data/interactions.js b/apps/meteor/tests/data/interactions.js
@@ -1,2 +1,5 @@
+import { BASE_URL } from '../e2e/config/constants'
+
 export const targetUser = 'rocket.cat';
 export const imgURL = './public/images/logo/1024x1024.png';
+export const avatarURL = BASE_URL +  '/images/logo/1024x1024.png';
@@ -751,6 +751,91 @@ describe('[Users]', function () {
 		});
 	});
 
+	describe('[/users.setAvatarFromService]', () => {
+		let user;
+		let userCredentials;
+		before(async () => {
+			user = await createUser();
+			userCredentials = await login(user.username, password);
+		});
+		before((done) => {
+			updateSetting('Accounts_AllowUserAvatarChange', true).then(() => {
+				updatePermission('edit-other-user-avatar', ['admin', 'user']).then(done);
+			});
+		});
-		before((done) => {
-			updateSetting('Accounts_AllowUserAvatarChange', true).then(() => {
-				updatePermission('edit-other-user-avatar', ['admin', 'user']).then(done);
-			});
-		});
+		before(async () => {
+			await updateSetting('Accounts_AllowUserAvatarChange', true);
+			await updatePermission('edit-other-user-avatar', ['admin', 'user']);
+		});
-		before((done) => {
-			updateSetting('Accounts_AllowUserAvatarChange', true).then(() => {
-				updatePermission('edit-other-user-avatar', ['admin', 'user']).then(done);
-			});
-		});
+		before(async () => {
+			await updateSetting('Accounts_AllowUserAvatarChange', true);
+			await updatePermission('edit-other-user-avatar', ['admin', 'user']);
+		});
+		after(async () => {
+			await updateSetting('Accounts_AllowUserAvatarChange', true);
+			await deleteUser(user);
+			user = undefined;
+			await updatePermission('edit-other-user-avatar', ['admin']);
+		});
+		it('should set the avatar of the logged user by a local image', (done) => {
+			request
+				.post(api('users.setAvatarFromService'))
+				.set(userCredentials)
+				.send({
+					username: adminUsername,
+					blob: 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8z8BQDwAEhQGAhKmMIQAAAABJRU5ErkJggg==',
+					contentType: 'image/png',
+					service: 'gravatar',
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				})
+				.end(done);
+		});
+		it('should update the avatar of another user by userId when the logged user has the necessary permission (edit-other-user-avatar)', (done) => {
+			request
+				.post(api('users.setAvatarFromService'))
+				.set(userCredentials)
+				.send({
+					username: adminUsername,
+					blob: 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8z8BQDwAEhQGAhKmMIQAAAABJRU5ErkJggg==',
+					contentType: 'image/png',
+					service: 'gravatar',
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				})
+				.end(done);
+		});
+		it('should set the avatar of another user by username and local image when the logged user has the necessary permission (edit-other-user-avatar)', (done) => {
+			request
+				.post(api('users.setAvatarFromService'))
+				.set(userCredentials)
+				.send({
+					username: adminUsername,
+					blob: 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8z8BQDwAEhQGAhKmMIQAAAABJRU5ErkJggg==',
+					contentType: 'image/png',
+					service: 'gravatar',
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				})
+				.end(done);
+		});
+		it('should return an error if the correct params are not provided', (done) => {
+			updatePermission('edit-other-user-avatar', []).then(() => {
+				request
+					.post(api('users.setAvatarFromService'))
+					.set(userCredentials)
+					.send({})
+					.expect('Content-Type', 'application/json')
+					.expect(400)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', false);
+					})
+					.end(done);
+			});
+		});
+	});
+
 	describe('[/users.resetAvatar]', () => {
 		let user;
 		before(async () => {

@@ -75,6 +75,46 @@ const UsersSetAvatarSchema = {
 
 export const isUsersSetAvatarProps = ajv.compile<UsersSetAvatar>(UsersSetAvatarSchema);
 
+type UsersSetAvatarFromService = {
+	userId?: IUser['_id'];
+	username?: IUser['username'];
+
+	blob: string;
+	contentType: string;
+	service: string;
+};
+
+const UsersSetAvatarFromServiceSchema = {
+	type: 'object',
+	properties: {
+		userId: {
+			type: 'string',
+			nullable: true,
+		},
+		username: {
+			type: 'string',
+			nullable: true,
+		},
+		blob: {
+			type: 'string',
+		},
+		contentType: {
+			type: 'string',
+		},
+		service: {
+			type: 'string',
+		},
+		url: {
+			type: 'string',
+			nullable: true,
+		},
+	},
+	required: ['blob', 'contentType', 'service'],
+	additionalProperties: false,
+};
+
+export const isUsersSetAvatarFromServiceProps = ajv.compile<UsersSetAvatarFromService>(UsersSetAvatarFromServiceSchema);
+
 type UsersResetAvatar = { userId?: IUser['_id']; username?: IUser['username'] };
 
 const UsersResetAvatarSchema = {
@@ -137,6 +177,9 @@ export type UsersEndpoints = {
 	'/v1/users.setAvatar': {
 		POST: (params: UsersSetAvatar) => void;
 	};
+	'/v1/users.setAvatarFromService': {
+		POST: (params: UsersSetAvatarFromService) => void;
+	};
 	'/v1/users.resetAvatar': {
 		POST: (params: UsersResetAvatar) => void;
 	};