From fb3494bab37bb66f53a97a3f03faa905cb271742 Mon Sep 17 00:00:00 2001 From: Luciano Marcos Pierdona Junior <64279791+LucianoPierdona@users.noreply.github.com> Date: Wed, 17 Aug 2022 20:40:58 -0300 Subject: [PATCH] [FIX] Users can access public discussions inside private channels they are not members of (#25981) --- .../app/lib/server/methods/getMessages.ts | 19 ++++++++++++++++--- apps/meteor/server/methods/loadHistory.js | 7 ++++++- .../server/methods/loadSurroundingMessages.js | 8 +++++++- 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/apps/meteor/app/lib/server/methods/getMessages.ts b/apps/meteor/app/lib/server/methods/getMessages.ts index 46c88152d5969..bf34b0a75d9ef 100644 --- a/apps/meteor/app/lib/server/methods/getMessages.ts +++ b/apps/meteor/app/lib/server/methods/getMessages.ts @@ -3,7 +3,7 @@ import { check } from 'meteor/check'; import type { IMessage } from '@rocket.chat/core-typings'; import { canAccessRoomId } from '../../../authorization/server'; -import { Messages } from '../../../models/server'; +import { Messages, Rooms } from '../../../models/server'; Meteor.methods({ getMessages(messages) { @@ -16,9 +16,22 @@ Meteor.methods({ const msgs = Messages.findVisibleByIds(messages).fetch() as IMessage[]; const rids = [...new Set(msgs.map((m) => m.rid))]; + const prids = [ + ...new Set( + rids.reduce((prids, rid) => { + const room = Rooms.findOneById(rid); - if (!rids.every((_id) => canAccessRoomId(_id, uid))) { - throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'getSingleMessage' }); + if (room?.prid) { + prids.push(room.prid); + } + + return prids; + }, []), + ), + ]; + + if (!rids.every((_id) => canAccessRoomId(_id, uid)) || !prids.every((_id) => canAccessRoomId(_id, uid))) { + throw new Meteor.Error('error-not-allowed', 'Not allowed', 'getSingleMessage'); } return msgs; diff --git a/apps/meteor/server/methods/loadHistory.js b/apps/meteor/server/methods/loadHistory.js index eef6bf10cb224..7795bd4ee7777 100644 --- a/apps/meteor/server/methods/loadHistory.js +++ b/apps/meteor/server/methods/loadHistory.js @@ -2,7 +2,7 @@ import { Meteor } from 'meteor/meteor'; import { check } from 'meteor/check'; import { Subscriptions, Rooms } from '../../app/models/server'; -import { canAccessRoom, hasPermission, roomAccessAttributes } from '../../app/authorization/server'; +import { canAccessRoom, canAccessRoomId, hasPermission, roomAccessAttributes } from '../../app/authorization/server'; import { settings } from '../../app/settings/server'; import { loadMessageHistory } from '../../app/lib/server'; @@ -19,6 +19,7 @@ Meteor.methods({ const fromId = Meteor.userId(); const room = Rooms.findOneById(rid, { fields: { ...roomAccessAttributes, t: 1 } }); + if (!room) { return false; } @@ -27,6 +28,10 @@ Meteor.methods({ return false; } + if (room.prid && !canAccessRoomId(room.prid, fromId)) { + return false; + } + const canAnonymous = settings.get('Accounts_AllowAnonymousRead'); const canPreview = hasPermission(fromId, 'preview-c-room'); diff --git a/apps/meteor/server/methods/loadSurroundingMessages.js b/apps/meteor/server/methods/loadSurroundingMessages.js index 4fa92b0e79ac8..75eae0420d315 100644 --- a/apps/meteor/server/methods/loadSurroundingMessages.js +++ b/apps/meteor/server/methods/loadSurroundingMessages.js @@ -2,7 +2,7 @@ import { Meteor } from 'meteor/meteor'; import { check } from 'meteor/check'; import { canAccessRoomId } from '../../app/authorization/server'; -import { Messages } from '../../app/models/server'; +import { Messages, Rooms } from '../../app/models/server'; import { settings } from '../../app/settings/server'; import { normalizeMessagesForUser } from '../../app/utils/server/lib/normalizeMessagesForUser'; @@ -33,6 +33,12 @@ Meteor.methods({ return false; } + const room = Rooms.findOneById(message.rid); + + if (room.prid && !canAccessRoomId(room.prid, fromId)) { + return false; + } + limit -= 1; const options = {