Fix access control over posting messages to channels / threads

twake/backend/node/src/services/messages/web/controllers/messages.ts

@@ -15,7 +15,7 @@ import {
   ThreadExecutionContext,
 } from "../../types";
 import { handleError } from "../../../../utils/handleError";
-import { Pagination } from "../../../../core/platform/framework/api/crud-service";
+import { CrudException, Pagination } from "../../../../core/platform/framework/api/crud-service";
 import { getThreadMessageWebsocketRoom } from "../realtime";
 import { ThreadPrimaryKey } from "../../entities/threads";
 import { extendExecutionContentWithChannel } from "./index";
@@ -75,6 +75,32 @@ export class MessagesController
         throw "Message must be in a thread";
       }
 
+      let hasOneMembership = false;
+      for (const participant of thread.participants) {
+        if (participant.type === "channel") {
+          const isMember = await gr.services.channels.members.getChannelMember(
+            { id: context.user.id },
+            {
+              company_id: participant.company_id,
+              workspace_id: participant.workspace_id,
+              id: participant.id,
+            },
+          );
+          if (isMember) {
+            hasOneMembership = true;
+            break;
+          }
+        } else if (participant.type === "user") {
+          if (participant.id === context.user.id) {
+            hasOneMembership = true;
+            break;
+          }
+        }
+      }
+      if (!hasOneMembership) {
+        throw CrudException.notFound("You can't post in this thread");
+      }
+
       const result = await gr.services.messages.messages.save(
         {
           id: request.params.message_id || undefined,

twake/backend/node/src/services/messages/web/controllers/threads.ts

@@ -10,6 +10,7 @@ import { handleError } from "../../../../utils/handleError";
 import { CompanyExecutionContext } from "../../types";
 import { ParticipantObject, Thread } from "../../entities/threads";
 import gr from "../../../global-resolver";
+import { CrudException } from "src/core/platform/framework/api/crud-service";
 
 export class ThreadsController
   implements
@@ -39,6 +40,23 @@ export class ThreadsController
     reply: FastifyReply,
   ): Promise<ResourceCreateResponse<Thread>> {
     const context = getCompanyExecutionContext(request);
+
+    for (const participant of request.body.resource.participants) {
+      if (participant.type === "channel") {
+        const isMember = await gr.services.channels.members.getChannelMember(
+          { id: context.user.id },
+          {
+            company_id: participant.company_id,
+            workspace_id: participant.workspace_id,
+            id: participant.id,
+          },
+        );
+        if (!isMember) {
+          throw CrudException.notFound("Channel not found");
+        }
+      }
+    }
+
     try {
       const result = await gr.services.messages.threads.save(
         {

twake/backend/node/src/services/messages/web/controllers/views.ts

@@ -2,7 +2,11 @@ import { FastifyReply, FastifyRequest } from "fastify";
 import { ResourceListResponse } from "../../../../utils/types";
 import { Message } from "../../entities/messages";
 import { handleError } from "../../../../utils/handleError";
-import { ListResult, Pagination } from "../../../../core/platform/framework/api/crud-service";
+import {
+  CrudException,
+  ListResult,
+  Pagination,
+} from "../../../../core/platform/framework/api/crud-service";
 import {
   ChannelViewExecutionContext,
   FlatFileFromMessage,
@@ -38,6 +42,18 @@ export class ViewsController {
     const query = { ...request.query, include_users: request.query.include_users };
     const context = getChannelViewExecutionContext(request);
 
+    const isMember = await gr.services.channels.members.getChannelMember(
+      { id: context.user.id },
+      {
+        company_id: request.params.company_id,
+        workspace_id: request.params.workspace_id,
+        id: request.params.channel_id,
+      },
+    );
+    if (!isMember) {
+      throw CrudException.notFound("Channel not found");
+    }
+
     let resources: ListResult<MessageWithReplies | FlatFileFromMessage | FlatPinnedFromMessage>;
 
     try {