Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FIX] Permission view-all-teams is not checked in the teams.info endpoint #25841

Merged
merged 25 commits into from
Aug 17, 2022
Merged
Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
a500e17
added permission check on `teams.info` endpoint
LucianoPierdona Jun 10, 2022
6d9efad
linting
LucianoPierdona Jun 10, 2022
5d60531
add `scope` when checking `team.info` access permissions
LucianoPierdona Jun 13, 2022
3c125ef
add `getMember` and update check on `teams.info`
LucianoPierdona Jun 13, 2022
38b1f1f
linting
LucianoPierdona Jun 13, 2022
c1fa6f8
Update teams.ts
matheusbsilva137 Jun 24, 2022
4943816
Merge remote-tracking branch 'origin/develop' into fix/view-teams-inf…
LucianoPierdona Jun 24, 2022
2fd4ec9
fix `getMember` method
LucianoPierdona Jun 24, 2022
dc72457
Merge remote-tracking branch 'origin/develop' into fix/view-teams-inf…
LucianoPierdona Jun 30, 2022
6093184
Merge remote-tracking branch 'origin/develop' into fix/view-teams-inf…
LucianoPierdona Jul 1, 2022
dc94536
update `useInviteToken` and `teams.info` to check subscription
LucianoPierdona Jul 4, 2022
4b9be54
Merge remote-tracking branch 'origin/develop' into fix/view-teams-inf…
LucianoPierdona Jul 21, 2022
99837f0
linting
LucianoPierdona Jul 21, 2022
3f6f486
Merge branch 'develop' into fix/view-teams-info-permission
matheusbsilva137 Aug 11, 2022
ab0cd48
update check of `canViewInfo`
LucianoPierdona Aug 12, 2022
309e08f
Merge branch 'develop' into fix/view-teams-info-permission
LucianoPierdona Aug 12, 2022
f45d85f
removed unused methods
LucianoPierdona Aug 12, 2022
4b88fb4
fixed check to see if room exists
LucianoPierdona Aug 15, 2022
e9a2ced
add e2e tests for `teams.info`
LucianoPierdona Aug 15, 2022
6cb3cea
update tests
LucianoPierdona Aug 15, 2022
870ab27
update tests
LucianoPierdona Aug 15, 2022
ff1b702
Update tests
LucianoPierdona Aug 15, 2022
4a081ca
Update apps/meteor/tests/end-to-end/api/25-teams.js
LucianoPierdona Aug 16, 2022
f6496e7
Merge branch 'develop' into fix/view-teams-info-permission
matheusbsilva137 Aug 16, 2022
6c558e2
Merge branch 'develop' into fix/view-teams-info-permission
kodiakhq[bot] Aug 17, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions apps/meteor/app/api/server/v1/teams.ts
Original file line number Diff line number Diff line change
Expand Up @@ -577,6 +577,12 @@ API.v1.addRoute(
return API.v1.failure('Team not found');
}

const canViewInfo = (await Team.getMember(teamInfo._id, this.userId)) || hasPermission(this.userId, 'view-all-teams');

if (!canViewInfo) {
return API.v1.unauthorized();
}

return API.v1.success({ teamInfo });
},
},
Expand Down
1 change: 1 addition & 0 deletions apps/meteor/server/sdk/types/ITeamService.ts
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ export interface ITeamService {
autocomplete(uid: string, name: string): Promise<ITeamAutocompleteResult[]>;
getAllPublicTeams(options?: WithoutProjection<FindOneOptions<ITeam>>): Promise<Array<ITeam>>;
getMembersByTeamIds(teamIds: Array<string>, options: FindOneOptions<ITeamMember>): Promise<Array<ITeamMember>>;
getMember(teamId: string, userId: string, options?: FindOneOptions<ITeamMember>): Promise<ITeamMember | null>;
update(uid: string, teamId: string, updateData: ITeamUpdateData): Promise<void>;
listTeamsBySubscriberUserId(uid: string, options?: FindOneOptions<ITeamMember>): Promise<Array<ITeamMember> | null>;
insertMemberOnTeams(userId: string, teamIds: Array<string>): Promise<void>;
Expand Down
4 changes: 4 additions & 0 deletions apps/meteor/server/services/team/service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -530,6 +530,10 @@ export class TeamService extends ServiceClassInternal implements ITeamService {
};
}

async getMember(teamId: string, userId: string, options: FindOneOptions<ITeamMember>): Promise<ITeamMember | null> {
return TeamMember.findOneByUserIdAndTeamId(userId, teamId, options);
}

async listRoomsOfUser(
uid: string,
teamId: string,
Expand Down