Description:
When trying to upload a file in behalf of a user in a Livechat room using a app it returns a
error saying it's forbidden.
When trying to upload a file using an app on a RocketChat server below 3.16.0 version it works as expected
When I try to upload a file with a visitor token instead of a user it works correctly no matter the RocketChat version.
Here is the error message and stack trace that is returned by the server:
"{\"message\":\"Forbidden [forbidden]\",\"stack\":\"Error: Forbidden [forbidden]\\n at Object.<anonymous> (packages/jalik:ufs/ufs-store.js:339:12)\\n at packages/matb33:collection-hooks/insert.js:16:28\\n at Array.forEach (<anonymous>)\\n at Object.<anonymous> (packages/matb33:collection-hooks/insert.js:15:22)\\n at Object.collection.<computed> [as insert] (packages/matb33:collection-hooks/collection-hooks.js:93:21)\\n at ns.Collection.insert (packages/mongo/collection.js:523:39)\\n at ns.Collection.Mongo.Collection.<computed> [as insert] (packages/dispatch_run-as-user.js:325:19)\\n at BaseDb.insert (app/models/server/models/_BaseDb.js:278:33)\\n at ns.Collection.model.insert (app/models/server/models/_BaseDb.js:129:16)\\n at GridFSStore.Store.self.create (packages/jalik:ufs/ufs-store.js:202:33)\\n at FileUploadClass._doInsert (app/file-upload/server/lib/FileUpload.js:573:29)\\n at FileUploadClass.insert (app/file-upload/server/lib/FileUpload.js:613:15)\\n at FileUploadClass.insertSync (packages/meteor.js:306:21)\\n at app/apps/server/bridges/uploads.ts:59:36\\n at runWithEnvironment (packages/meteor.js:1286:24)\\n at packages/meteor.js:1299:14\\n at new Promise (<anonymous>)\\n at app/apps/server/bridges/uploads.ts:57:10\\n at /app/bundle/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/fiber_pool.js:43:40\"}"
Steps to reproduce
- Create a app with a endpoint to upload a file in a room. The image below represents how I am doing the upload:
-
Start a Livechat chat
-
Send a request to the endpoint passing the file, the ID of the Livechat room and the username of the user that is uploading the file
Expected behavior:
It should upload a file in a Livechat room in behalf of a user
Actual behavior:
It returns a error saying it's forbidden
Server Setup Information:
- Version of Rocket.Chat Server: 3.17.1 Enterprise
- Operating System: Linux
- Deployment Method: Docker
- Number of Running Instances: 1
- DB Replicaset Oplog:
- NodeJS Version: v12.22.1
- MongoDB Version: 4.0.22
Client Setup Information:
- Desktop App or Browser Version: Brave 1.24.82
- Operating System: Linux Mint 20
Description:
When trying to upload a file in behalf of a user in a Livechat room using a app it returns a
error saying it's forbidden.
When trying to upload a file using an app on a RocketChat server below 3.16.0 version it works as expected
When I try to upload a file with a visitor token instead of a user it works correctly no matter the RocketChat version.
Here is the error message and stack trace that is returned by the server:
"{\"message\":\"Forbidden [forbidden]\",\"stack\":\"Error: Forbidden [forbidden]\\n at Object.<anonymous> (packages/jalik:ufs/ufs-store.js:339:12)\\n at packages/matb33:collection-hooks/insert.js:16:28\\n at Array.forEach (<anonymous>)\\n at Object.<anonymous> (packages/matb33:collection-hooks/insert.js:15:22)\\n at Object.collection.<computed> [as insert] (packages/matb33:collection-hooks/collection-hooks.js:93:21)\\n at ns.Collection.insert (packages/mongo/collection.js:523:39)\\n at ns.Collection.Mongo.Collection.<computed> [as insert] (packages/dispatch_run-as-user.js:325:19)\\n at BaseDb.insert (app/models/server/models/_BaseDb.js:278:33)\\n at ns.Collection.model.insert (app/models/server/models/_BaseDb.js:129:16)\\n at GridFSStore.Store.self.create (packages/jalik:ufs/ufs-store.js:202:33)\\n at FileUploadClass._doInsert (app/file-upload/server/lib/FileUpload.js:573:29)\\n at FileUploadClass.insert (app/file-upload/server/lib/FileUpload.js:613:15)\\n at FileUploadClass.insertSync (packages/meteor.js:306:21)\\n at app/apps/server/bridges/uploads.ts:59:36\\n at runWithEnvironment (packages/meteor.js:1286:24)\\n at packages/meteor.js:1299:14\\n at new Promise (<anonymous>)\\n at app/apps/server/bridges/uploads.ts:57:10\\n at /app/bundle/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/fiber_pool.js:43:40\"}"Steps to reproduce
Start a Livechat chat
Send a request to the endpoint passing the file, the ID of the Livechat room and the username of the user that is uploading the file
Expected behavior:
It should upload a file in a Livechat room in behalf of a user
Actual behavior:
It returns a error saying it's forbidden
Server Setup Information:
Client Setup Information: