Skip to content

Commit 18c9df1

Browse files
rodrigokrodrigok
committed
Merge remote-tracking branch 'origin/develop' into raw-models
# Conflicts: # app/api/server/v1/im.js # app/reactions/server/setReaction.js
2 parents 268d70d + 2be0a6d commit 18c9df1

File tree

42 files changed

+1591
-1207
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

42 files changed

+1591
-1207
lines changed

.github/history-manual.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,5 +123,12 @@
123123
"sampaiodiego",
124124
"pierre-lehnen-rc"
125125
]
126+
}],
127+
"4.1.1": [{
128+
"title": "[FIX] Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)",
129+
"userLogin": "sampaiodiego",
130+
"contributors": [
131+
"sampaiodiego"
132+
]
126133
}]
127134
}

.github/history.json

Lines changed: 44 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -67032,6 +67032,49 @@
6703267032
"5.0"
6703367033
],
6703467034
"pull_requests": []
67035+
},
67036+
"4.1.1": {
67037+
"node_version": "12.22.1",
67038+
"npm_version": "6.14.1",
67039+
"apps_engine_version": "1.28.1",
67040+
"mongo_versions": [
67041+
"3.6",
67042+
"4.0",
67043+
"4.2",
67044+
"4.4",
67045+
"5.0"
67046+
],
67047+
"pull_requests": [
67048+
{
67049+
"pr": "23607",
67050+
"title": "[FIX] App update flow failing in HA setups",
67051+
"userLogin": "d-gubert",
67052+
"description": "The flow for app updates is broken in specific scenarios with HA setups. Here we change the method calls in the Apps-Engine to avoid race conditions",
67053+
"milestone": "4.1.1",
67054+
"contributors": [
67055+
"d-gubert"
67056+
]
67057+
},
67058+
{
67059+
"pr": "23627",
67060+
"title": "[FIX] LDAP users not being re-activated on login",
67061+
"userLogin": "pierre-lehnen-rc",
67062+
"milestone": "4.1.1",
67063+
"contributors": [
67064+
"pierre-lehnen-rc"
67065+
]
67066+
},
67067+
{
67068+
"pr": "23608",
67069+
"title": "[FIX] Advanced LDAP Sync Features",
67070+
"userLogin": "pierre-lehnen-rc",
67071+
"milestone": "4.1.1",
67072+
"contributors": [
67073+
"pierre-lehnen-rc",
67074+
"web-flow"
67075+
]
67076+
}
67077+
]
6703567078
}
6703667079
}
67037-
}
67080+
}

HISTORY.md

Lines changed: 1147 additions & 976 deletions
Large diffs are not rendered by default.

app/api/server/v1/channels.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -286,9 +286,9 @@ API.v1.addRoute('channels.files', { authRequired: true }, {
286286
return file;
287287
};
288288

289-
Meteor.runAsUser(this.userId, () => {
290-
Meteor.call('canAccessRoom', findResult._id, this.userId);
291-
});
289+
if (!canAccessRoom(findResult, { _id: this.userId })) {
290+
return API.v1.unauthorized();
291+
}
292292

293293
const { offset, count } = this.getPaginationItems();
294294
const { sort, fields, query } = this.parseJsonQuery();

app/api/server/v1/chat.js

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ import { Meteor } from 'meteor/meteor';
33
import { Match, check } from 'meteor/check';
44

55
import { Messages } from '../../../models';
6-
import { canAccessRoom, hasPermission } from '../../../authorization';
6+
import { canAccessRoom, hasPermission } from '../../../authorization/server';
77
import { normalizeMessagesForUser } from '../../../utils/server/lib/normalizeMessagesForUser';
88
import { processWebhookMessage } from '../../../lib/server';
99
import { executeSendMessage } from '../../../lib/server/methods/sendMessage';
@@ -404,12 +404,12 @@ API.v1.addRoute('chat.getPinnedMessages', { authRequired: true }, {
404404
if (!roomId) {
405405
throw new Meteor.Error('error-roomId-param-not-provided', 'The required "roomId" query param is missing.');
406406
}
407-
const room = Meteor.call('canAccessRoom', roomId, this.userId);
408-
if (!room) {
407+
408+
if (!canAccessRoom({ _id: roomId }, { _id: this.userId })) {
409409
throw new Meteor.Error('error-not-allowed', 'Not allowed');
410410
}
411411

412-
const cursor = Messages.findPinnedByRoom(room._id, {
412+
const cursor = Messages.findPinnedByRoom(roomId, {
413413
skip: offset,
414414
limit: count,
415415
});

app/api/server/v1/commands.js

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,9 @@ import { Meteor } from 'meteor/meteor';
22
import { Random } from 'meteor/random';
33
import objectPath from 'object-path';
44

5-
import { slashCommands } from '../../../utils';
6-
import { Messages } from '../../../models';
5+
import { slashCommands } from '../../../utils/server';
6+
import { Messages } from '../../../models/server';
7+
import { canAccessRoom } from '../../../authorization/server';
78
import { API } from '../api';
89

910
API.v1.addRoute('commands.get', { authRequired: true }, {
@@ -189,8 +190,9 @@ API.v1.addRoute('commands.run', { authRequired: true }, {
189190
return API.v1.failure('The command provided does not exist (or is disabled).');
190191
}
191192

192-
// This will throw an error if they can't or the room is invalid
193-
Meteor.call('canAccessRoom', body.roomId, user._id);
193+
if (!canAccessRoom({ _id: body.roomId }, user)) {
194+
return API.v1.unauthorized();
195+
}
194196

195197
const params = body.params ? body.params : '';
196198
const message = {
@@ -238,8 +240,9 @@ API.v1.addRoute('commands.preview', { authRequired: true }, {
238240
return API.v1.failure('The command provided does not exist (or is disabled).');
239241
}
240242

241-
// This will throw an error if they can't or the room is invalid
242-
Meteor.call('canAccessRoom', query.roomId, user._id);
243+
if (!canAccessRoom({ _id: query.roomId }, user)) {
244+
return API.v1.unauthorized();
245+
}
243246

244247
const params = query.params ? query.params : '';
245248

@@ -288,8 +291,9 @@ API.v1.addRoute('commands.preview', { authRequired: true }, {
288291
return API.v1.failure('The command provided does not exist (or is disabled).');
289292
}
290293

291-
// This will throw an error if they can't or the room is invalid
292-
Meteor.call('canAccessRoom', body.roomId, user._id);
294+
if (!canAccessRoom({ _id: body.roomId }, user)) {
295+
return API.v1.unauthorized();
296+
}
293297

294298
const params = body.params ? body.params : '';
295299
const message = {

app/api/server/v1/im.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ import { Match, check } from 'meteor/check';
33

44
import { Subscriptions, Users, Messages, Rooms } from '../../../models/server';
55
import { Uploads } from '../../../models/server/raw';
6-
import { hasPermission } from '../../../authorization/server';
6+
import { canAccessRoom, hasPermission } from '../../../authorization/server';
77
import { normalizeMessagesForUser } from '../../../utils/server/lib/normalizeMessagesForUser';
88
import { settings } from '../../../settings/server';
99
import { API } from '../api';
@@ -20,7 +20,7 @@ function findDirectMessageRoom(params, user, allowAdminOverride) {
2020
nameOrId: params.username || params.roomId,
2121
});
2222

23-
const canAccess = Meteor.call('canAccessRoom', room._id, user._id)
23+
const canAccess = canAccessRoom(room, user)
2424
|| (allowAdminOverride && hasPermission(user._id, 'view-room-administration'));
2525
if (!canAccess || !room || room.t !== 'd') {
2626
throw new Meteor.Error('error-room-not-found', 'The required "roomId" or "username" param provided does not match any direct message');

app/api/server/v1/rooms.js

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -65,9 +65,7 @@ API.v1.addRoute('rooms.get', { authRequired: true }, {
6565

6666
API.v1.addRoute('rooms.upload/:rid', { authRequired: true }, {
6767
post() {
68-
const room = Meteor.call('canAccessRoom', this.urlParams.rid, this.userId);
69-
70-
if (!room) {
68+
if (!canAccessRoom({ _id: this.urlParams.rid }, { _id: this.userId })) {
7169
return API.v1.unauthorized();
7270
}
7371

@@ -191,9 +189,11 @@ API.v1.addRoute('rooms.info', { authRequired: true }, {
191189
get() {
192190
const room = findRoomByIdOrName({ params: this.requestParams() });
193191
const { fields } = this.parseJsonQuery();
194-
if (!Meteor.call('canAccessRoom', room._id, this.userId, {})) {
192+
193+
if (!room || !canAccessRoom(room, { _id: this.userId })) {
195194
return API.v1.failure('not-allowed', 'Not Allowed');
196195
}
196+
197197
return API.v1.success({ room: Rooms.findOneByIdOrName(room._id, { fields }) });
198198
},
199199
});
@@ -244,9 +244,11 @@ API.v1.addRoute('rooms.getDiscussions', { authRequired: true }, {
244244
const room = findRoomByIdOrName({ params: this.requestParams() });
245245
const { offset, count } = this.getPaginationItems();
246246
const { sort, fields, query } = this.parseJsonQuery();
247-
if (!Meteor.call('canAccessRoom', room._id, this.userId, {})) {
247+
248+
if (!room || !canAccessRoom(room, { _id: this.userId })) {
248249
return API.v1.failure('not-allowed', 'Not Allowed');
249250
}
251+
250252
const ourQuery = Object.assign(query, { prid: room._id });
251253

252254
const discussions = Rooms.find(ourQuery, {

app/e2e/server/methods/getUsersOfRoomWithoutKey.js

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,23 @@
11
import { Meteor } from 'meteor/meteor';
2+
import { check } from 'meteor/check';
23

3-
import { Subscriptions, Users } from '../../../models';
4+
import { canAccessRoom } from '../../../authorization/server';
5+
import { Subscriptions, Users } from '../../../models/server';
46

57
Meteor.methods({
68
'e2e.getUsersOfRoomWithoutKey'(rid) {
9+
check(rid, String);
10+
711
const userId = Meteor.userId();
812
if (!userId) {
913
throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'e2e.getUsersOfRoomWithoutKey' });
1014
}
1115

12-
const room = Meteor.call('canAccessRoom', rid, userId);
13-
if (!room) {
16+
if (!rid) {
17+
throw new Meteor.Error('error-invalid-room', 'Invalid room', { method: 'e2e.getUsersOfRoomWithoutKey' });
18+
}
19+
20+
if (!canAccessRoom({ _id: rid }, { _id: userId })) {
1421
throw new Meteor.Error('error-invalid-room', 'Invalid room', { method: 'e2e.getUsersOfRoomWithoutKey' });
1522
}
1623

app/e2e/server/methods/setRoomKeyID.js

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,29 @@
11
import { Meteor } from 'meteor/meteor';
2+
import { check } from 'meteor/check';
23

3-
import { Rooms } from '../../../models';
4+
import { canAccessRoom } from '../../../authorization/server';
5+
import { Rooms } from '../../../models/server';
46

57
Meteor.methods({
68
'e2e.setRoomKeyID'(rid, keyID) {
9+
check(rid, String);
10+
check(keyID, String);
11+
712
const userId = Meteor.userId();
813
if (!userId) {
914
throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'e2e.setRoomKeyID' });
1015
}
1116

12-
const room = Meteor.call('canAccessRoom', rid, userId);
13-
if (!room) {
17+
if (!rid) {
1418
throw new Meteor.Error('error-invalid-room', 'Invalid room', { method: 'e2e.setRoomKeyID' });
1519
}
1620

21+
if (!canAccessRoom({ _id: rid }, { _id: userId })) {
22+
throw new Meteor.Error('error-invalid-room', 'Invalid room', { method: 'e2e.setRoomKeyID' });
23+
}
24+
25+
const room = Rooms.findOneById(rid, { fields: { e2eKeyId: 1 } });
26+
1727
if (room.e2eKeyId) {
1828
throw new Meteor.Error('error-room-e2e-key-already-exists', 'E2E Key ID already exists', { method: 'e2e.setRoomKeyID' });
1929
}

0 commit comments

Comments
 (0)