Skip to content

Commit

Permalink
chore!: Improve permissions check on channels endpoints (#32330)
Browse files Browse the repository at this point in the history
* chore: Improve permission check on channels endpoints
  • Loading branch information
matheusbsilva137 authored and MartinSchoeler committed Sep 18, 2024
1 parent bed7839 commit e32f3c7
Show file tree
Hide file tree
Showing 2 changed files with 218 additions and 105 deletions.
41 changes: 20 additions & 21 deletions apps/meteor/app/api/server/v1/channels.ts
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ import { findUsersOfRoom } from '../../../../server/lib/findUsersOfRoom';
import { hideRoomMethod } from '../../../../server/methods/hideRoom';
import { removeUserFromRoomMethod } from '../../../../server/methods/removeUserFromRoom';
import { canAccessRoomAsync } from '../../../authorization/server';
import { hasPermissionAsync, hasAtLeastOnePermissionAsync } from '../../../authorization/server/functions/hasPermission';
import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
import { saveRoomSettings } from '../../../channel-settings/server/methods/saveRoomSettings';
import { mountIntegrationQueryBasedOnPermissions } from '../../../integrations/server/lib/mountQueriesBasedOnPermission';
import { addUsersToRoomMethod } from '../../../lib/server/methods/addUsersToRoom';
Expand Down Expand Up @@ -272,6 +272,7 @@ API.v1.addRoute(
{
authRequired: true,
validateParams: isChannelsMessagesProps,
permissionsRequired: ['view-c-room'],
},
{
async get() {
Expand All @@ -292,9 +293,6 @@ API.v1.addRoute(
) {
return API.v1.unauthorized();
}
if (!(await hasPermissionAsync(this.userId, 'view-c-room'))) {
return API.v1.unauthorized();
}

const { cursor, totalCount } = await Messages.findPaginated(ourQuery, {
sort: sort || { ts: -1 },
Expand Down Expand Up @@ -477,13 +475,10 @@ API.v1.addRoute(
{
authRequired: true,
validateParams: isChannelsConvertToTeamProps,
permissionsRequired: ['create-team'],
},
{
async post() {
if (!(await hasPermissionAsync(this.userId, 'create-team'))) {
return API.v1.unauthorized();
}

const { channelId, channelName } = this.bodyParams;

if (!channelId && !channelName) {
Expand Down Expand Up @@ -855,20 +850,22 @@ API.v1.addRoute(

API.v1.addRoute(
'channels.getIntegrations',
{ authRequired: true },
{
async get() {
if (
!(await hasAtLeastOnePermissionAsync(this.userId, [
authRequired: true,
permissionsRequired: {
GET: {
permissions: [
'manage-outgoing-integrations',
'manage-own-outgoing-integrations',
'manage-incoming-integrations',
'manage-own-incoming-integrations',
]))
) {
return API.v1.unauthorized();
}

],
operation: 'hasAny',
},
},
},
{
async get() {
const findResult = await findChannelByIdOrName({
params: this.queryParams,
checkedArchived: false,
Expand Down Expand Up @@ -954,7 +951,12 @@ API.v1.addRoute(

API.v1.addRoute(
'channels.list',
{ authRequired: true },
{
authRequired: true,
permissionsRequired: {
GET: { permissions: ['view-c-room', 'view-joined-room'], operation: 'hasAny' },
},
},
{
async get() {
const { offset, count } = await getPaginationItems(this.queryParams);
Expand All @@ -964,9 +966,6 @@ API.v1.addRoute(
const ourQuery: Record<string, any> = { ...query, t: 'c' };

if (!hasPermissionToSeeAllPublicChannels) {
if (!(await hasPermissionAsync(this.userId, 'view-joined-room'))) {
return API.v1.unauthorized();
}
const roomIds = (
await Subscriptions.findByUserIdAndType(this.userId, 'c', {
projection: { rid: 1 },
Expand Down
Loading

0 comments on commit e32f3c7

Please sign in to comment.