Skip to content

Commit

Permalink
PATCH: Allow filtering by customFields in user queries
Browse files Browse the repository at this point in the history
SAPI’s `find_rc_user_by_sapi_user_id` calls RC’s `users.list` API endpoint with

    `/api/v1/users.list?query={"customFields.sa_id": #{sapi_user_id}}`

This call fails under vanilla RC 4.8.4 with

    Error: Invalid attribute: customFields.sa_id [error-invalid-query]
    at Object.get (app/api/server/v1/users.js:330:11)

This problem is related to the Upstream issue RocketChat#25722

    "API Invalid query parameter provided"

and is caused by Upstream PR RocketChat#25648

    "Chore: Rest API query parameters handling"
    commit 31ae30f

which limited which MongoDB query filters may be passed in via the RC API.
That PR was correct to restrict the query, but did not whitelist enough fields.
SAPI’s current integration with RocketChat depends on `customFields` being exposed.

Security Considerations:
Although none of SAPI’s customFields contain sensitive data, other RC installations
might indeed store sensitive data there.  It’s not clear, therefore, whether this
patch should be PR’d upstream.
  • Loading branch information
nmagedman committed Sep 12, 2022
1 parent 86163f2 commit 5fb21cb
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 0 deletions.
1 change: 1 addition & 0 deletions apps/meteor/app/api/server/lib/users.ts
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ export function getNonEmptyFields(fields: Record<string, 1 | 0>): Record<string,
avatarETag: 1,
lastLogin: 1,
type: 1,
customFields: 1,
} as const;

if (!fields || Object.keys(fields).length === 0) {
Expand Down
1 change: 1 addition & 0 deletions apps/meteor/app/api/server/v1/users.ts
Original file line number Diff line number Diff line change
Expand Up @@ -432,6 +432,7 @@ API.v1.addRoute(
inclusiveFieldsKeys.includes('username') && 'username.*',
inclusiveFieldsKeys.includes('name') && 'name.*',
inclusiveFieldsKeys.includes('type') && 'type.*',
inclusiveFieldsKeys.includes('customFields') && 'customFields.*',
].filter(Boolean) as string[],
this.queryOperations,
)
Expand Down

0 comments on commit 5fb21cb

Please sign in to comment.