fix!: Only room creator can set the E2EE room key for the first time (#…

…33520)
RocketChat · Oct 11, 2024 · 09c1b34 · 09c1b34
1 parent bab25f7
commit 09c1b34
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/.changeset/soft-planets-cross.md b/.changeset/soft-planets-cross.md
@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": major
+---
+
+Fixes a behavior of E2EE room creation that allowed any user on the room to define room keys before the room creator, causing race conditions.
diff --git a/apps/meteor/app/e2e/client/rocketchat.e2e.room.js b/apps/meteor/app/e2e/client/rocketchat.e2e.room.js
@@ -245,8 +245,8 @@ export class E2ERoom extends Emitter {
 
 		try {
 			const room = ChatRoom.findOne({ _id: this.roomId });
-			if (!room.e2eKeyId) {
-				// TODO CHECK_PERMISSION
+			// Only room creator can set keys for room
+			if (!room.e2eKeyId && room.u._id === this.userId) {
 				this.setState(E2ERoomState.CREATING_KEYS);
 				await this.createGroupKey();
 				this.setState(E2ERoomState.READY);