Merge branch 'develop' into update-meteor-2.5.6

RocketChat · Feb 14, 2022 · a5c6626 · a5c6626
2 parents e3f8a79 + 732bb4f
commit a5c6626
Show file tree

Hide file tree

Showing 104 changed files with 1,335 additions and 1,110 deletions.
diff --git a/app/action-links/client/lib/actionLinks.js b/app/action-links/client/lib/actionLinks.js
@@ -1,7 +1,7 @@
 import { Meteor } from 'meteor/meteor';
 
 import { handleError } from '../../../../client/lib/utils/handleError';
-import { Messages, Subscriptions } from '../../../models/client';
+import { Messages } from '../../../models/client';
 
 // Action Links namespace creation.
 export const actionLinks = {
@@ -24,16 +24,6 @@ export const actionLinks = {
 			});
 		}
 
-		const subscription = Subscriptions.findOne({
-			'rid': message.rid,
-			'u._id': userId,
-		});
-		if (!subscription) {
-			throw new Meteor.Error('error-not-allowed', 'Not allowed', {
-				function: 'actionLinks.getMessage',
-			});
-		}
-
 		if (!message.actionLinks || !message.actionLinks[name]) {
 			throw new Meteor.Error('error-invalid-actionlink', 'Invalid action link', {
 				function: 'actionLinks.getMessage',

diff --git a/app/action-links/server/lib/actionLinks.js b/app/action-links/server/lib/actionLinks.js
@@ -1,6 +1,16 @@
 import { Meteor } from 'meteor/meteor';
 
-import { Messages, Subscriptions } from '../../../models/server';
+import { getMessageForUser } from '../../../../server/lib/messages/getMessageForUser';
+
+function getMessageById(messageId) {
+	try {
+		return Promise.await(getMessageForUser(messageId, Meteor.userId()));
+	} catch (e) {
+		throw new Meteor.Error(e.message, 'Invalid message', {
+			function: 'actionLinks.getMessage',
+		});
+	}
+}
 
 // Action Links namespace creation.
 export const actionLinks = {
@@ -9,30 +19,14 @@ export const actionLinks = {
 		actionLinks.actions[name] = funct;
 	},
 	getMessage(name, messageId) {
-		const userId = Meteor.userId();
-		if (!userId) {
-			throw new Meteor.Error('error-invalid-user', 'Invalid user', {
-				function: 'actionLinks.getMessage',
-			});
-		}
+		const message = getMessageById(messageId);
 
-		const message = Messages.findOne({ _id: messageId });
 		if (!message) {
 			throw new Meteor.Error('error-invalid-message', 'Invalid message', {
 				function: 'actionLinks.getMessage',
 			});
 		}
 
-		const subscription = Subscriptions.findOne({
-			'rid': message.rid,
-			'u._id': userId,
-		});
-		if (!subscription) {
-			throw new Meteor.Error('error-not-allowed', 'Not allowed', {
-				function: 'actionLinks.getMessage',
-			});
-		}
-
 		if (!message.actionLinks || !message.actionLinks[name]) {
 			throw new Meteor.Error('error-invalid-actionlink', 'Invalid action link', {
 				function: 'actionLinks.getMessage',

diff --git a/app/api/server/v1/chat.js b/app/api/server/v1/chat.js
@@ -3,7 +3,7 @@ import { Meteor } from 'meteor/meteor';
 import { Match, check } from 'meteor/check';
 
 import { Messages } from '../../../models';
-import { canAccessRoom, hasPermission } from '../../../authorization/server';
+import { canAccessRoom, canAccessRoomId, roomAccessAttributes, hasPermission } from '../../../authorization/server';
 import { normalizeMessagesForUser } from '../../../utils/server/lib/normalizeMessagesForUser';
 import { processWebhookMessage } from '../../../lib/server';
 import { executeSendMessage } from '../../../lib/server/methods/sendMessage';
@@ -496,7 +496,7 @@ API.v1.addRoute(
 				throw new Meteor.Error('error-roomId-param-not-provided', 'The required "roomId" query param is missing.');
 			}
 
-			if (!canAccessRoom({ _id: roomId }, { _id: this.userId })) {
+			if (!canAccessRoomId(roomId, this.userId)) {
 				throw new Meteor.Error('error-not-allowed', 'Not allowed');
 			}
 
@@ -535,17 +535,16 @@ API.v1.addRoute(
 				throw new Meteor.Error('error-not-allowed', 'Threads Disabled');
 			}
 			const user = Users.findOneById(this.userId, { fields: { _id: 1 } });
-			const room = Rooms.findOneById(rid, { fields: { t: 1, _id: 1 } });
+			const room = Rooms.findOneById(rid, { fields: { ...roomAccessAttributes, t: 1, _id: 1 } });
+
 			if (!canAccessRoom(room, user)) {
 				throw new Meteor.Error('error-not-allowed', 'Not Allowed');
 			}
 
 			const typeThread = {
 				_hidden: { $ne: true },
 				...(type === 'following' && { replies: { $in: [this.userId] } }),
-				...(type === 'unread' && {
-					_id: { $in: Subscriptions.findOneByRoomIdAndUserId(room._id, user._id).tunread },
-				}),
+				...(type === 'unread' && { _id: { $in: Subscriptions.findOneByRoomIdAndUserId(room._id, user._id).tunread } }),
 				msg: new RegExp(escapeRegExp(text), 'i'),
 			};
 
@@ -595,18 +594,16 @@ API.v1.addRoute(
 				updatedSinceDate = new Date(updatedSince);
 			}
 			const user = Users.findOneById(this.userId, { fields: { _id: 1 } });
-			const room = Rooms.findOneById(rid, { fields: { t: 1, _id: 1 } });
+			const room = Rooms.findOneById(rid, { fields: { ...roomAccessAttributes, t: 1, _id: 1 } });
+
 			if (!canAccessRoom(room, user)) {
 				throw new Meteor.Error('error-not-allowed', 'Not Allowed');
 			}
 			const threadQuery = Object.assign({}, query, { rid, tcount: { $exists: true } });
 			return API.v1.success({
 				threads: {
 					update: Messages.find({ ...threadQuery, _updatedAt: { $gt: updatedSinceDate } }, { fields, sort }).fetch(),
-					remove: Messages.trashFindDeletedAfter(updatedSinceDate, threadQuery, {
-						fields,
-						sort,
-					}).fetch(),
+					remove: Messages.trashFindDeletedAfter(updatedSinceDate, threadQuery, { fields, sort }).fetch(),
 				},
 			});
 		},
@@ -633,7 +630,7 @@ API.v1.addRoute(
 				throw new Meteor.Error('error-invalid-message', 'Invalid Message');
 			}
 			const user = Users.findOneById(this.userId, { fields: { _id: 1 } });
-			const room = Rooms.findOneById(thread.rid, { fields: { t: 1, _id: 1 } });
+			const room = Rooms.findOneById(thread.rid, { fields: { ...roomAccessAttributes, t: 1, _id: 1 } });
 
 			if (!canAccessRoom(room, user)) {
 				throw new Meteor.Error('error-not-allowed', 'Not Allowed');
@@ -690,7 +687,7 @@ API.v1.addRoute(
 				throw new Meteor.Error('error-invalid-message', 'Invalid Message');
 			}
 			const user = Users.findOneById(this.userId, { fields: { _id: 1 } });
-			const room = Rooms.findOneById(thread.rid, { fields: { t: 1, _id: 1 } });
+			const room = Rooms.findOneById(thread.rid, { fields: { ...roomAccessAttributes, t: 1, _id: 1 } });
 
 			if (!canAccessRoom(room, user)) {
 				throw new Meteor.Error('error-not-allowed', 'Not Allowed');

diff --git a/app/api/server/v1/commands.js b/app/api/server/v1/commands.js
@@ -4,7 +4,7 @@ import objectPath from 'object-path';
 
 import { slashCommands } from '../../../utils/server';
 import { Messages } from '../../../models/server';
-import { canAccessRoom } from '../../../authorization/server';
+import { canAccessRoomId } from '../../../authorization/server';
 import { API } from '../api';
 
 API.v1.addRoute(
@@ -201,7 +201,7 @@ API.v1.addRoute(
 				return API.v1.failure('The command provided does not exist (or is disabled).');
 			}
 
-			if (!canAccessRoom({ _id: body.roomId }, user)) {
+			if (!canAccessRoomId(body.roomId, user._id)) {
 				return API.v1.unauthorized();
 			}
 
@@ -255,7 +255,7 @@ API.v1.addRoute(
 				return API.v1.failure('The command provided does not exist (or is disabled).');
 			}
 
-			if (!canAccessRoom({ _id: query.roomId }, user)) {
+			if (!canAccessRoomId(query.roomId, user._id)) {
 				return API.v1.unauthorized();
 			}
 
@@ -310,7 +310,7 @@ API.v1.addRoute(
 				return API.v1.failure('The command provided does not exist (or is disabled).');
 			}
 
-			if (!canAccessRoom({ _id: body.roomId }, user)) {
+			if (!canAccessRoomId(body.roomId, user._id)) {
 				return API.v1.unauthorized();
 			}
 

diff --git a/app/api/server/v1/groups.js b/app/api/server/v1/groups.js
@@ -5,7 +5,13 @@ import { Match, check } from 'meteor/check';
 import { mountIntegrationQueryBasedOnPermissions } from '../../../integrations/server/lib/mountQueriesBasedOnPermission';
 import { Subscriptions, Rooms, Messages, Users } from '../../../models/server';
 import { Integrations, Uploads } from '../../../models/server/raw';
-import { hasPermission, hasAtLeastOnePermission, canAccessRoom, hasAllPermission } from '../../../authorization/server';
+import {
+	hasPermission,
+	hasAtLeastOnePermission,
+	canAccessRoom,
+	hasAllPermission,
+	roomAccessAttributes,
+} from '../../../authorization/server';
 import { normalizeMessagesForUser } from '../../../utils/server/lib/normalizeMessagesForUser';
 import { API } from '../api';
 import { Team } from '../../../../server/sdk';
@@ -19,6 +25,7 @@ export function findPrivateGroupByIdOrName({ params, userId, checkedArchived = t
 
 	const roomOptions = {
 		fields: {
+			...roomAccessAttributes,
 			t: 1,
 			ro: 1,
 			name: 1,

diff --git a/app/api/server/v1/rooms.js b/app/api/server/v1/rooms.js
@@ -12,7 +12,7 @@ import {
 	findChannelAndPrivateAutocompleteWithPagination,
 } from '../lib/rooms';
 import { sendFile, sendViaEmail } from '../../../../server/lib/channelExport';
-import { canAccessRoom, hasPermission } from '../../../authorization/server';
+import { canAccessRoom, canAccessRoomId, hasPermission } from '../../../authorization/server';
 import { Media } from '../../../../server/sdk';
 import { settings } from '../../../settings/server/index';
 import { getUploadFormData } from '../lib/getUploadFormData';
@@ -81,7 +81,7 @@ API.v1.addRoute(
 	{ authRequired: true },
 	{
 		post() {
-			if (!canAccessRoom({ _id: this.urlParams.rid }, { _id: this.userId })) {
+			if (!canAccessRoomId(this.urlParams.rid, this.userId)) {
 				return API.v1.unauthorized();
 			}
 

diff --git a/app/authorization/server/functions/canAccessRoom.ts b/app/authorization/server/functions/canAccessRoom.ts
@@ -2,5 +2,15 @@ import { Authorization } from '../../../../server/sdk';
 import { IAuthorization } from '../../../../server/sdk/types/IAuthorization';
 
 export const canAccessRoomAsync = Authorization.canAccessRoom;
+export const canAccessRoomIdAsync = Authorization.canAccessRoomId;
+export const roomAccessAttributes = {
+	_id: 1,
+	t: 1,
+	teamId: 1,
+	prid: 1,
+	tokenpass: 1,
+};
 
 export const canAccessRoom = (...args: Parameters<IAuthorization['canAccessRoom']>): boolean => Promise.await(canAccessRoomAsync(...args));
+export const canAccessRoomId = (...args: Parameters<IAuthorization['canAccessRoomId']>): boolean =>
+	Promise.await(canAccessRoomIdAsync(...args));
diff --git a/app/authorization/server/index.js b/app/authorization/server/index.js
@@ -1,5 +1,5 @@
 import { addUserRoles } from './functions/addUserRoles';
-import { canAccessRoom, roomAccessValidators } from './functions/canAccessRoom';
+import { canAccessRoom, canAccessRoomId, roomAccessAttributes, roomAccessValidators } from './functions/canAccessRoom';
 import { canSendMessage, validateRoomMessagePermissions } from './functions/canSendMessage';
 import { getRoles } from './functions/getRoles';
 import { getUsersInRole } from './functions/getUsersInRole';
@@ -26,6 +26,8 @@ export {
 	roomAccessValidators,
 	addUserRoles,
 	canAccessRoom,
+	canAccessRoomId,
+	roomAccessAttributes,
 	hasAllPermission,
 	hasAtLeastOnePermission,
 	hasPermission,

diff --git a/app/e2e/server/methods/getUsersOfRoomWithoutKey.js b/app/e2e/server/methods/getUsersOfRoomWithoutKey.js
@@ -1,7 +1,7 @@
 import { Meteor } from 'meteor/meteor';
 import { check } from 'meteor/check';
 
-import { canAccessRoom } from '../../../authorization/server';
+import { canAccessRoomId } from '../../../authorization/server';
 import { Subscriptions, Users } from '../../../models/server';
 
 Meteor.methods({
@@ -21,10 +21,8 @@ Meteor.methods({
 			});
 		}
 
-		if (!canAccessRoom({ _id: rid }, { _id: userId })) {
-			throw new Meteor.Error('error-invalid-room', 'Invalid room', {
-				method: 'e2e.getUsersOfRoomWithoutKey',
-			});
+		if (!canAccessRoomId(rid, userId)) {
+			throw new Meteor.Error('error-invalid-room', 'Invalid room', { method: 'e2e.getUsersOfRoomWithoutKey' });
 		}
 
 		const subscriptions = Subscriptions.findByRidWithoutE2EKey(rid, {

diff --git a/app/e2e/server/methods/setRoomKeyID.js b/app/e2e/server/methods/setRoomKeyID.js
@@ -1,7 +1,7 @@
 import { Meteor } from 'meteor/meteor';
 import { check } from 'meteor/check';
 
-import { canAccessRoom } from '../../../authorization/server';
+import { canAccessRoomId } from '../../../authorization/server';
 import { Rooms } from '../../../models/server';
 
 Meteor.methods({
@@ -18,7 +18,7 @@ Meteor.methods({
 			throw new Meteor.Error('error-invalid-room', 'Invalid room', { method: 'e2e.setRoomKeyID' });
 		}
 
-		if (!canAccessRoom({ _id: rid }, { _id: userId })) {
+		if (!canAccessRoomId(rid, userId)) {
 			throw new Meteor.Error('error-invalid-room', 'Invalid room', { method: 'e2e.setRoomKeyID' });
 		}
 

diff --git a/app/lib/lib/roomTypes/private.js b/app/lib/lib/roomTypes/private.js
@@ -1,6 +1,6 @@
 import { Meteor } from 'meteor/meteor';
 
-import { ChatRoom, ChatSubscription } from '../../../models';
+import { ChatRoom } from '../../../models';
 import { openRoom } from '../../../ui-utils';
 import { settings } from '../../../settings';
 import { hasAtLeastOnePermission, hasPermission } from '../../../authorization';
@@ -74,15 +74,6 @@ export class PrivateRoomType extends RoomTypeConfig {
 		return hasAtLeastOnePermission(['add-user-to-any-p-room', 'add-user-to-joined-room'], room._id);
 	}
 
-	canSendMessage(roomId) {
-		// TODO: remove duplicated code
-		return (
-			ChatSubscription.find({
-				rid: roomId,
-			}).count() > 0
-		);
-	}
-
 	allowRoomSettingChange(room, setting) {
 		switch (setting) {
 			case RoomSettingsEnum.JOIN_CODE:

diff --git a/app/lib/lib/roomTypes/public.js b/app/lib/lib/roomTypes/public.js
@@ -1,7 +1,7 @@
 import { Meteor } from 'meteor/meteor';
 
 import { openRoom } from '../../../ui-utils';
-import { ChatRoom, ChatSubscription } from '../../../models';
+import { ChatRoom } from '../../../models';
 import { settings } from '../../../settings';
 import { hasAtLeastOnePermission } from '../../../authorization';
 import { getUserPreference, RoomTypeConfig, RoomTypeRouteConfig, RoomSettingsEnum, UiTextContext, RoomMemberActions } from '../../../utils';
@@ -86,20 +86,6 @@ export class PublicRoomType extends RoomTypeConfig {
 		return hasAtLeastOnePermission(['add-user-to-any-c-room', 'add-user-to-joined-room'], room._id);
 	}
 
-	canSendMessage(roomId) {
-		const room = ChatRoom.findOne({ _id: roomId, t: 'c' }, { fields: { prid: 1 } });
-		if (room.prid) {
-			return true;
-		}
-
-		// TODO: remove duplicated code
-		return (
-			ChatSubscription.find({
-				rid: roomId,
-			}).count() > 0
-		);
-	}
-
 	enableMembersListProfile() {
 		return true;
 	}

diff --git a/app/lib/server/methods/getChannelHistory.ts b/app/lib/server/methods/getChannelHistory.ts
@@ -16,7 +16,11 @@ Meteor.methods({
 			throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'getChannelHistory' });
 		}
 
-		const fromUserId = Meteor.userId() || undefined;
+		const fromUserId = Meteor.userId();
+		if (!fromUserId) {
+			return false;
+		}
+
 		const room = Rooms.findOneById(rid);
 		if (!room) {
 			return false;

diff --git a/app/lib/server/methods/getMessages.ts b/app/lib/server/methods/getMessages.ts
@@ -1,7 +1,7 @@
 import { Meteor } from 'meteor/meteor';
 import { check } from 'meteor/check';
 
-import { canAccessRoom } from '../../../authorization/server';
+import { canAccessRoomId } from '../../../authorization/server';
 import { Messages } from '../../../models/server';
 import { IMessage } from '../../../../definition/IMessage';
 
@@ -15,12 +15,9 @@ Meteor.methods({
 		}
 
 		const msgs = Messages.findVisibleByIds(messages).fetch() as IMessage[];
-
-		const user = { _id: uid };
-
 		const rids = [...new Set(msgs.map((m) => m.rid))];
 
-		if (!rids.every((_id) => canAccessRoom({ _id }, user))) {
+		if (!rids.every((_id) => canAccessRoomId(_id, uid))) {
 			throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'getSingleMessage' });
 		}