apitech
/
Rocket.Chat
mirror of https://github.com/RocketChat/Rocket.Chat
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[FIX] api-bypass-rate-limiter permission was not working (#16080)

Browse Source
pull/16118/head
Marcos Spessatto Defendi 6 years ago committed by Diego Sampaio
parent 8b0b060db3
commit 4bdcb30ab7
2 changed files with 7 additions and 7 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 10
      app/api/server/api.js
  2. 4
      app/integrations/server/api/api.js

10
app/api/server/api.js
Unescape View File

@ -179,15 +179,15 @@ export class APIClass extends Restivus {
return rateLimiterDictionary[route];
}
shouldVerifyRateLimit(route) {
shouldVerifyRateLimit(route, userId) {
return rateLimiterDictionary.hasOwnProperty(route)
&& settings.get('API_Enable_Rate_Limiter') === true
&& (process.env.NODE_ENV !== 'development' || settings.get('API_Enable_Rate_Limiter_Dev') === true)
&& !(this.userId && hasPermission(this.userId, 'api-bypass-rate-limit'));
&& !(userId && hasPermission(userId, 'api-bypass-rate-limit'));
}
enforceRateLimit(objectForRateLimitMatch, request, response) {
if (!this.shouldVerifyRateLimit(objectForRateLimitMatch.route)) {
enforceRateLimit(objectForRateLimitMatch, request, response, userId) {
if (!this.shouldVerifyRateLimit(objectForRateLimitMatch.route, userId)) {
return;
}
@ -321,7 +321,7 @@ export class APIClass extends Restivus {
};
try {
api.enforceRateLimit(objectForRateLimitMatch, this.request, this.response);
api.enforceRateLimit(objectForRateLimitMatch, this.request, this.response, this.userId);
if (shouldVerifyPermissions && (!this.userId || !hasAllPermission(this.userId, options.permissionsRequired))) {
throw new Meteor.Error('error-unauthorized', 'User does not have the permissions required for this action', {

4
app/integrations/server/api/api.js
Unescape View File

@ -333,7 +333,7 @@ class WebHookAPI extends APIClass {
There is only one generic route propagated to Restivus which has URL-path-parameters for the integration and the token.
Since the rate-limiter operates on absolute routes, we need to add a limiter to the absolute url before we can validate it
*/
enforceRateLimit(objectForRateLimitMatch, request, response) {
enforceRateLimit(objectForRateLimitMatch, request, response, userId) {
const { method, url } = request;
const route = url.replace(`/${ this.apiPath }`, '');
const nameRoute = this.getFullRouteName(route, [method.toLowerCase()]);
@ -354,7 +354,7 @@ class WebHookAPI extends APIClass {
const integrationForRateLimitMatch = objectForRateLimitMatch;
integrationForRateLimitMatch.route = nameRoute;
super.enforceRateLimit(integrationForRateLimitMatch, request, response);
super.enforceRateLimit(integrationForRateLimitMatch, request, response, userId);
}
}

Write Preview
Loading…
Cancel
Save