Skip to content

Commit

Permalink
[FIX] Users can access public discussions inside private channels the…
Browse files Browse the repository at this point in the history 
…y are not members of (#25981)
  • Loading branch information
@LucianoPierdona
LucianoPierdona authored and csuarez committed Aug 26, 2022
1 parent d1ebe32 commit fb3494b
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 5 deletions.
19 changes: 16 additions & 3 deletions apps/meteor/app/lib/server/methods/getMessages.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import { check } from 'meteor/check';
import type { IMessage } from '@rocket.chat/core-typings';

import { canAccessRoomId } from '../../../authorization/server';
import { Messages } from '../../../models/server';
import { Messages, Rooms } from '../../../models/server';

Meteor.methods({
getMessages(messages) {
Expand All @@ -16,9 +16,22 @@ Meteor.methods({

const msgs = Messages.findVisibleByIds(messages).fetch() as IMessage[];
const rids = [...new Set(msgs.map((m) => m.rid))];
const prids = [
...new Set(
rids.reduce<string[]>((prids, rid) => {
const room = Rooms.findOneById(rid);

if (!rids.every((_id) => canAccessRoomId(_id, uid))) {
throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'getSingleMessage' });
if (room?.prid) {
prids.push(room.prid);
}

return prids;
}, []),
),
];

if (!rids.every((_id) => canAccessRoomId(_id, uid)) || !prids.every((_id) => canAccessRoomId(_id, uid))) {
throw new Meteor.Error('error-not-allowed', 'Not allowed', 'getSingleMessage');
}

return msgs;
Expand Down
7 changes: 6 additions & 1 deletion apps/meteor/server/methods/loadHistory.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ import { Meteor } from 'meteor/meteor';
import { check } from 'meteor/check';

import { Subscriptions, Rooms } from '../../app/models/server';
import { canAccessRoom, hasPermission, roomAccessAttributes } from '../../app/authorization/server';
import { canAccessRoom, canAccessRoomId, hasPermission, roomAccessAttributes } from '../../app/authorization/server';
import { settings } from '../../app/settings/server';
import { loadMessageHistory } from '../../app/lib/server';

Expand All @@ -19,6 +19,7 @@ Meteor.methods({
const fromId = Meteor.userId();

const room = Rooms.findOneById(rid, { fields: { ...roomAccessAttributes, t: 1 } });

if (!room) {
return false;
}
Expand All @@ -27,6 +28,10 @@ Meteor.methods({
return false;
}

if (room.prid && !canAccessRoomId(room.prid, fromId)) {
return false;
}

const canAnonymous = settings.get('Accounts_AllowAnonymousRead');
const canPreview = hasPermission(fromId, 'preview-c-room');

Expand Down
8 changes: 7 additions & 1 deletion apps/meteor/server/methods/loadSurroundingMessages.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ import { Meteor } from 'meteor/meteor';
import { check } from 'meteor/check';

import { canAccessRoomId } from '../../app/authorization/server';
import { Messages } from '../../app/models/server';
import { Messages, Rooms } from '../../app/models/server';
import { settings } from '../../app/settings/server';
import { normalizeMessagesForUser } from '../../app/utils/server/lib/normalizeMessagesForUser';

Expand Down Expand Up @@ -33,6 +33,12 @@ Meteor.methods({
return false;
}

const room = Rooms.findOneById(message.rid);

if (room.prid && !canAccessRoomId(room.prid, fromId)) {
return false;
}

limit -= 1;

const options = {
Expand Down

0 comments on commit fb3494b

Please sign in to comment.