From d1301ce69787dda6c6d6e192b27dc03f90f78772 Mon Sep 17 00:00:00 2001
From: Andrew Bromwich <abromwich@yourtutor.com.au>
Date: Sun, 30 Apr 2017 19:57:09 +1000
Subject: [PATCH] Added helper for testing if the current user matches the
 params Updated users.getPresence and users.setAvatar REST APIs to use current
 user param helper

---
 packages/rocketchat-api/package.js            |  1 +
 .../server/v1/helpers/getUserFromParams.js    |  2 +-
 .../server/v1/helpers/isUserFromParams.js     |  5 ++++
 packages/rocketchat-api/server/v1/users.js    | 27 ++++++++++---------
 4 files changed, 21 insertions(+), 14 deletions(-)
 create mode 100644 packages/rocketchat-api/server/v1/helpers/isUserFromParams.js

diff --git a/packages/rocketchat-api/package.js b/packages/rocketchat-api/package.js
index 6918b5f1da8f..ef8aaf159327 100644
--- a/packages/rocketchat-api/package.js
+++ b/packages/rocketchat-api/package.js
@@ -19,6 +19,7 @@ Package.onUse(function(api) {
 	//Register v1 helpers
 	api.addFiles('server/v1/helpers/getPaginationItems.js', 'server');
 	api.addFiles('server/v1/helpers/getUserFromParams.js', 'server');
+	api.addFiles('server/v1/helpers/isUserFromParams.js', 'server');
 	api.addFiles('server/v1/helpers/parseJsonQuery.js', 'server');
 	api.addFiles('server/v1/helpers/getLoggedInUser.js', 'server');
 
diff --git a/packages/rocketchat-api/server/v1/helpers/getUserFromParams.js b/packages/rocketchat-api/server/v1/helpers/getUserFromParams.js
index 99976b38990e..01c075ea0abb 100644
--- a/packages/rocketchat-api/server/v1/helpers/getUserFromParams.js
+++ b/packages/rocketchat-api/server/v1/helpers/getUserFromParams.js
@@ -1,4 +1,4 @@
-//Convience method, almost need to turn it into a middleware of sorts
+//Convenience method, almost need to turn it into a middleware of sorts
 RocketChat.API.v1.helperMethods.set('getUserFromParams', function _getUserFromParams() {
 	const doesntExist = { _doesntExist: true };
 	let user;
diff --git a/packages/rocketchat-api/server/v1/helpers/isUserFromParams.js b/packages/rocketchat-api/server/v1/helpers/isUserFromParams.js
new file mode 100644
index 000000000000..f0b24a78096b
--- /dev/null
+++ b/packages/rocketchat-api/server/v1/helpers/isUserFromParams.js
@@ -0,0 +1,5 @@
+RocketChat.API.v1.helperMethods.set('isUserFromParams', function _isUserFromParams() {
+	return (this.queryParams.userId && this.userId === this.queryParams.userId) ||
+		(this.queryParams.username && this.user.username === this.queryParams.username) ||
+		(this.queryParams.user && this.user.username === this.queryParams.user);
+});
diff --git a/packages/rocketchat-api/server/v1/users.js b/packages/rocketchat-api/server/v1/users.js
index 525454dd36c6..aa66fab610f0 100644
--- a/packages/rocketchat-api/server/v1/users.js
+++ b/packages/rocketchat-api/server/v1/users.js
@@ -67,20 +67,19 @@ RocketChat.API.v1.addRoute('users.getAvatar', { authRequired: false }, {
 
 RocketChat.API.v1.addRoute('users.getPresence', { authRequired: true }, {
 	get() {
-		//BLAHHHHHHHHHH :'(
-		if ((this.queryParams.userId && this.userId !== this.queryParams.userId) || (this.queryParams.username && this.user.username !== this.queryParams.username) || (this.queryParams.user && this.user.username !== this.queryParams.user)) {
-			const user = this.getUserFromParams();
-
+		if (this.isUserFromParams()) {
+			const user = RocketChat.models.Users.findOneById(this.userId);
 			return RocketChat.API.v1.success({
-				presence: user.status
+				presence: user.status,
+				connectionStatus: user.statusConnection,
+				lastLogin: user.lastLogin
 			});
 		}
 
-		const user = RocketChat.models.Users.findOneById(this.userId);
+		const user = this.getUserFromParams();
+
 		return RocketChat.API.v1.success({
-			presence: user.status,
-			connectionStatus: user.statusConnection,
-			lastLogin: user.lastLogin
+			presence: user.status
 		});
 	}
 });
@@ -185,17 +184,19 @@ RocketChat.API.v1.addRoute('users.resetAvatar', { authRequired: true }, {
 	}
 });
 
-//TODO: Make this route work with support for usernames
 RocketChat.API.v1.addRoute('users.setAvatar', { authRequired: true }, {
 	post() {
 		check(this.bodyParams, { avatarUrl: Match.Maybe(String), userId: Match.Maybe(String) });
 
-		if (typeof this.bodyParams.userId !== 'undefined' && this.userId !== this.bodyParams.userId && !RocketChat.authz.hasPermission(this.userId, 'edit-other-user-info')) {
+		let user;
+		if (this.isUserFromParams()) {
+			user = Meteor.users.findOne(this.userId);
+		} else if (RocketChat.authz.hasPermission(this.userId, 'edit-other-user-info')) {
+			user = this.getUserFromParams();
+		} else {
 			return RocketChat.API.v1.unauthorized();
 		}
 
-		const user = Meteor.users.findOne(this.bodyParams.userId ? this.bodyParams.userId : this.userId);
-
 		if (this.bodyParams.avatarUrl) {
 			RocketChat.setUserAvatar(user, this.bodyParams.avatarUrl, '', 'url');
 		} else {