From d3805def1df8b9fa29659e64c57c26a14cd1f81d Mon Sep 17 00:00:00 2001 From: Unknown Date: Tue, 5 Jun 2018 15:46:18 -0300 Subject: [PATCH 1/5] Fix REST groups invite, that did not allow a user to invite even with permission --- packages/rocketchat-api/server/v1/groups.js | 18 +++++++++++++++++- .../server/models/Subscriptions.js | 8 ++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/packages/rocketchat-api/server/v1/groups.js b/packages/rocketchat-api/server/v1/groups.js index 73fa7d3cc1133..a8af43d817a55 100644 --- a/packages/rocketchat-api/server/v1/groups.js +++ b/packages/rocketchat-api/server/v1/groups.js @@ -348,7 +348,23 @@ RocketChat.API.v1.addRoute('groups.info', { authRequired: true }, { RocketChat.API.v1.addRoute('groups.invite', { authRequired: true }, { post() { - const findResult = findPrivateGroupByIdOrName({ params: this.requestParams(), userId: this.userId }); + let findResult; + const canAddUserToAnyPrivateGroup = RocketChat.authz.hasPermission(this.userId, 'add-user-to-any-p-room'); + const params = this.requestParams(); + if (canAddUserToAnyPrivateGroup) { + if (params.roomId && params.roomId.trim()) { + findResult = RocketChat.models.Subscriptions.findByRoomId(params.roomId).fetch()[0]; + } else if (params.roomName && params.roomName.trim()) { + findResult = RocketChat.models.Subscriptions.findOneByRoomName(params.roomName); + } else { + throw new Meteor.Error('error-room-param-not-provided', 'The parameter "roomId" or "roomName" is required'); + } + if (!findResult || findResult.t !== 'p') { + throw new Meteor.Error('error-room-not-found', 'The required "roomId" or "roomName" param provided does not match any group'); + } + } else { + findResult = findPrivateGroupByIdOrName({ params, userId: this.userId }); + } const user = this.getUserFromParams(); diff --git a/packages/rocketchat-lib/server/models/Subscriptions.js b/packages/rocketchat-lib/server/models/Subscriptions.js index 12d40fedee784..7b83aaace257b 100644 --- a/packages/rocketchat-lib/server/models/Subscriptions.js +++ b/packages/rocketchat-lib/server/models/Subscriptions.js @@ -54,6 +54,14 @@ class ModelSubscriptions extends RocketChat.models._Base { return this.findOne(query); } + findOneByRoomName(roomName) { + const query = { + name: roomName + }; + + return this.findOne(query); + } + // FIND findByUserId(userId, options) { if (this.useCache) { From f6c1cf5427877c51de76a711821f884d608e75ef Mon Sep 17 00:00:00 2001 From: Unknown Date: Wed, 13 Jun 2018 12:20:13 -0300 Subject: [PATCH 2/5] Change from get by subscription to get by room directly in groups.invite REST endpoint --- packages/rocketchat-api/server/v1/groups.js | 9 ++++----- packages/rocketchat-lib/server/models/Subscriptions.js | 8 -------- 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/packages/rocketchat-api/server/v1/groups.js b/packages/rocketchat-api/server/v1/groups.js index a8af43d817a55..be92f321a1983 100644 --- a/packages/rocketchat-api/server/v1/groups.js +++ b/packages/rocketchat-api/server/v1/groups.js @@ -352,10 +352,9 @@ RocketChat.API.v1.addRoute('groups.invite', { authRequired: true }, { const canAddUserToAnyPrivateGroup = RocketChat.authz.hasPermission(this.userId, 'add-user-to-any-p-room'); const params = this.requestParams(); if (canAddUserToAnyPrivateGroup) { - if (params.roomId && params.roomId.trim()) { - findResult = RocketChat.models.Subscriptions.findByRoomId(params.roomId).fetch()[0]; - } else if (params.roomName && params.roomName.trim()) { - findResult = RocketChat.models.Subscriptions.findOneByRoomName(params.roomName); + if ((params.roomId && params.roomId.trim()) || (params.roomName && params.roomName.trim())) { + const idOrName = params.roomId || params.roomName; + findResult = RocketChat.models.Rooms.findOneByIdOrName(idOrName); } else { throw new Meteor.Error('error-room-param-not-provided', 'The parameter "roomId" or "roomName" is required'); } @@ -369,7 +368,7 @@ RocketChat.API.v1.addRoute('groups.invite', { authRequired: true }, { const user = this.getUserFromParams(); Meteor.runAsUser(this.userId, () => { - Meteor.call('addUserToRoom', { rid: findResult.rid, username: user.username }); + Meteor.call('addUserToRoom', { rid: findResult._id, username: user.username }); }); return RocketChat.API.v1.success({ diff --git a/packages/rocketchat-lib/server/models/Subscriptions.js b/packages/rocketchat-lib/server/models/Subscriptions.js index 7b83aaace257b..12d40fedee784 100644 --- a/packages/rocketchat-lib/server/models/Subscriptions.js +++ b/packages/rocketchat-lib/server/models/Subscriptions.js @@ -54,14 +54,6 @@ class ModelSubscriptions extends RocketChat.models._Base { return this.findOne(query); } - findOneByRoomName(roomName) { - const query = { - name: roomName - }; - - return this.findOne(query); - } - // FIND findByUserId(userId, options) { if (this.useCache) { From ea92cff5e5abb5d0af6edb9670662507e4400e5b Mon Sep 17 00:00:00 2001 From: Unknown Date: Wed, 13 Jun 2018 15:08:59 -0300 Subject: [PATCH 3/5] Change the roomId variable in groups.invite REST --- packages/rocketchat-api/server/v1/groups.js | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/packages/rocketchat-api/server/v1/groups.js b/packages/rocketchat-api/server/v1/groups.js index be92f321a1983..1b1161fdd2892 100644 --- a/packages/rocketchat-api/server/v1/groups.js +++ b/packages/rocketchat-api/server/v1/groups.js @@ -349,12 +349,14 @@ RocketChat.API.v1.addRoute('groups.info', { authRequired: true }, { RocketChat.API.v1.addRoute('groups.invite', { authRequired: true }, { post() { let findResult; + let roomId; const canAddUserToAnyPrivateGroup = RocketChat.authz.hasPermission(this.userId, 'add-user-to-any-p-room'); const params = this.requestParams(); if (canAddUserToAnyPrivateGroup) { if ((params.roomId && params.roomId.trim()) || (params.roomName && params.roomName.trim())) { const idOrName = params.roomId || params.roomName; findResult = RocketChat.models.Rooms.findOneByIdOrName(idOrName); + roomId = findResult._id; } else { throw new Meteor.Error('error-room-param-not-provided', 'The parameter "roomId" or "roomName" is required'); } @@ -363,16 +365,17 @@ RocketChat.API.v1.addRoute('groups.invite', { authRequired: true }, { } } else { findResult = findPrivateGroupByIdOrName({ params, userId: this.userId }); + roomId = findResult.rid; } const user = this.getUserFromParams(); Meteor.runAsUser(this.userId, () => { - Meteor.call('addUserToRoom', { rid: findResult._id, username: user.username }); + Meteor.call('addUserToRoom', { rid: roomId, username: user.username }); }); return RocketChat.API.v1.success({ - group: RocketChat.models.Rooms.findOneById(findResult.rid, { fields: RocketChat.API.v1.defaultFieldsToExclude }) + group: RocketChat.models.Rooms.findOneById(roomId, { fields: RocketChat.API.v1.defaultFieldsToExclude }) }); } }); From 67ff6057be467e319422f8dea19f7d549001f654 Mon Sep 17 00:00:00 2001 From: Unknown Date: Thu, 14 Jun 2018 17:00:29 -0300 Subject: [PATCH 4/5] remove endpoint logic, change to just call ddp method in /groups.invite --- packages/rocketchat-api/server/v1/groups.js | 26 +++++++-------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/packages/rocketchat-api/server/v1/groups.js b/packages/rocketchat-api/server/v1/groups.js index 1b1161fdd2892..5ddca4791c8ed 100644 --- a/packages/rocketchat-api/server/v1/groups.js +++ b/packages/rocketchat-api/server/v1/groups.js @@ -349,33 +349,25 @@ RocketChat.API.v1.addRoute('groups.info', { authRequired: true }, { RocketChat.API.v1.addRoute('groups.invite', { authRequired: true }, { post() { let findResult; - let roomId; - const canAddUserToAnyPrivateGroup = RocketChat.authz.hasPermission(this.userId, 'add-user-to-any-p-room'); const params = this.requestParams(); - if (canAddUserToAnyPrivateGroup) { - if ((params.roomId && params.roomId.trim()) || (params.roomName && params.roomName.trim())) { - const idOrName = params.roomId || params.roomName; - findResult = RocketChat.models.Rooms.findOneByIdOrName(idOrName); - roomId = findResult._id; - } else { - throw new Meteor.Error('error-room-param-not-provided', 'The parameter "roomId" or "roomName" is required'); - } - if (!findResult || findResult.t !== 'p') { - throw new Meteor.Error('error-room-not-found', 'The required "roomId" or "roomName" param provided does not match any group'); - } + if ((params.roomId && params.roomId.trim()) || (params.roomName && params.roomName.trim())) { + const idOrName = params.roomId || params.roomName; + findResult = RocketChat.models.Rooms.findOneByIdOrName(idOrName); } else { - findResult = findPrivateGroupByIdOrName({ params, userId: this.userId }); - roomId = findResult.rid; + throw new Meteor.Error('error-room-param-not-provided', 'The parameter "roomId" or "roomName" is required'); + } + if (!findResult || findResult.t !== 'p') { + throw new Meteor.Error('error-room-not-found', 'The required "roomId" or "roomName" param provided does not match any group'); } const user = this.getUserFromParams(); Meteor.runAsUser(this.userId, () => { - Meteor.call('addUserToRoom', { rid: roomId, username: user.username }); + Meteor.call('addUserToRoom', { rid: findResult._id, username: user.username }); }); return RocketChat.API.v1.success({ - group: RocketChat.models.Rooms.findOneById(roomId, { fields: RocketChat.API.v1.defaultFieldsToExclude }) + group: RocketChat.models.Rooms.findOneById(findResult._id, { fields: RocketChat.API.v1.defaultFieldsToExclude }) }); } }); From db2b9d9c51266efb9bfb984e6131a5bd0e2deb8b Mon Sep 17 00:00:00 2001 From: Guilherme Gazzo Date: Fri, 15 Jun 2018 13:19:05 -0300 Subject: [PATCH 5/5] fix review --- packages/rocketchat-api/server/v1/groups.js | 22 ++++++++++----------- 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/packages/rocketchat-api/server/v1/groups.js b/packages/rocketchat-api/server/v1/groups.js index 5ddca4791c8ed..ffeb3cf4434a3 100644 --- a/packages/rocketchat-api/server/v1/groups.js +++ b/packages/rocketchat-api/server/v1/groups.js @@ -348,26 +348,24 @@ RocketChat.API.v1.addRoute('groups.info', { authRequired: true }, { RocketChat.API.v1.addRoute('groups.invite', { authRequired: true }, { post() { - let findResult; - const params = this.requestParams(); - if ((params.roomId && params.roomId.trim()) || (params.roomName && params.roomName.trim())) { - const idOrName = params.roomId || params.roomName; - findResult = RocketChat.models.Rooms.findOneByIdOrName(idOrName); - } else { + const { roomId = '', roomName = '' } = this.requestParams(); + const idOrName = roomId || roomName; + if (!idOrName.trim()) { throw new Meteor.Error('error-room-param-not-provided', 'The parameter "roomId" or "roomName" is required'); } - if (!findResult || findResult.t !== 'p') { + + const { _id: rid, t: type } = RocketChat.models.Rooms.findOneByIdOrName(idOrName) || {}; + + if (!rid || type !== 'p') { throw new Meteor.Error('error-room-not-found', 'The required "roomId" or "roomName" param provided does not match any group'); } - const user = this.getUserFromParams(); + const { username } = this.getUserFromParams(); - Meteor.runAsUser(this.userId, () => { - Meteor.call('addUserToRoom', { rid: findResult._id, username: user.username }); - }); + Meteor.runAsUser(this.userId, () => Meteor.call('addUserToRoom', { rid, username })); return RocketChat.API.v1.success({ - group: RocketChat.models.Rooms.findOneById(findResult._id, { fields: RocketChat.API.v1.defaultFieldsToExclude }) + group: RocketChat.models.Rooms.findOneById(rid, { fields: RocketChat.API.v1.defaultFieldsToExclude }) }); } });