From 55efdea054a290d194aa6ce7480a9548ec3477bd Mon Sep 17 00:00:00 2001 From: Reid Wakida Date: Wed, 11 Nov 2015 18:55:01 -1000 Subject: [PATCH] Adds 2 new permissions related to bulk user registration and bulk channel creation. Permissions are assigned admin role. The nimble:restivus package, used by REST api, does not support alanning:roles with 'groups'. It doesn't even use the alanning:roles API to check for roles. As a workaround, I removed restivus's rolesRequired check from the bulk api methods and added Rocketchat.authz.hasPermission checks. --- .../server/startup.coffee | 5 ++ server/restapi/restapi.coffee | 64 ++++++++++++------- 2 files changed, 45 insertions(+), 24 deletions(-) diff --git a/packages/rocketchat-authorization/server/startup.coffee b/packages/rocketchat-authorization/server/startup.coffee index a8072af4f3c..c7cd71d4072 100644 --- a/packages/rocketchat-authorization/server/startup.coffee +++ b/packages/rocketchat-authorization/server/startup.coffee @@ -72,6 +72,11 @@ Meteor.startup -> { _id: 'delete-d', roles : ['admin', 'site-moderator']} + { _id: 'bulk-register-user', + roles : ['admin']} + + { _id: 'bulk-create-c', + roles : ['admin']} ] #alanning:roles diff --git a/server/restapi/restapi.coffee b/server/restapi/restapi.coffee index 79abfe263c3..55f4c2bea0f 100644 --- a/server/restapi/restapi.coffee +++ b/server/restapi/restapi.coffee @@ -99,23 +99,31 @@ NOTE: remove room is NOT recommended; use Meteor.reset() to clear db and re-se ### Api.addRoute 'bulk/register', authRequired: true, post: + # restivus 0.8.4 does not support alanning:roles using groups #roleRequired: ['testagent', 'adminautomation'] action: -> - try - Api.testapiValidateUsers @bodyParams.users - this.response.setTimeout (500 * @bodyParams.users.length) - ids = [] - endCount = @bodyParams.users.length - 1 - for incoming, i in @bodyParams.users - ids[i] = {uid: Meteor.call 'registerUser', incoming} - Meteor.runAsUser ids[i].uid, () => - Meteor.call 'setUsername', incoming.name - Meteor.call 'joinDefaultChannels' + if RocketChat.authz.hasPermission(@userId, 'bulk-register-user') + try + + Api.testapiValidateUsers @bodyParams.users + this.response.setTimeout (500 * @bodyParams.users.length) + ids = [] + endCount = @bodyParams.users.length - 1 + for incoming, i in @bodyParams.users + ids[i] = {uid: Meteor.call 'registerUser', incoming} + Meteor.runAsUser ids[i].uid, () => + Meteor.call 'setUsername', incoming.name + Meteor.call 'joinDefaultChannels' + + status: 'success', ids: ids + catch e + statusCode: 400 # bad request or other errors + body: status: 'fail', message: e.name + ' :: ' + e.message + else + console.log '[restapi] bulk/register -> '.red, "User does not have 'bulk-register-user' permission" + statusCode: 403 + body: status: 'error', message: 'You do not have permission to do this' - status: 'success', ids: ids - catch e - statusCode: 400 # bad request or other errors - body: status: 'fail', message: e.name + ' :: ' + e.message @@ -163,18 +171,26 @@ NOTE: remove room is NOT recommended; use Meteor.reset() to clear db and re-se ### Api.addRoute 'bulk/createRoom', authRequired: true, post: + # restivus 0.8.4 does not support alanning:roles using groups #roleRequired: ['testagent', 'adminautomation'] action: -> - try - this.response.setTimeout (1000 * @bodyParams.rooms.length) - Api.testapiValidateRooms @bodyParams.rooms - ids = [] - Meteor.runAsUser this.userId, () => - (ids[i] = Meteor.call 'createChannel', incoming.name, incoming.members) for incoming,i in @bodyParams.rooms - status: 'success', ids: ids # need to handle error - catch e - statusCode: 400 # bad request or other errors - body: status: 'fail', message: e.name + ' :: ' + e.message + # user must also have create-c permission because + # createChannel method requires it + if RocketChat.authz.hasPermission(@userId, 'bulk-create-c') + try + this.response.setTimeout (1000 * @bodyParams.rooms.length) + Api.testapiValidateRooms @bodyParams.rooms + ids = [] + Meteor.runAsUser this.userId, () => + (ids[i] = Meteor.call 'createChannel', incoming.name, incoming.members) for incoming,i in @bodyParams.rooms + status: 'success', ids: ids # need to handle error + catch e + statusCode: 400 # bad request or other errors + body: status: 'fail', message: e.name + ' :: ' + e.message + else + console.log '[restapi] bulk/createRoom -> '.red, "User does not have 'bulk-create-c' permission" + statusCode: 403 + body: status: 'error', message: 'You do not have permission to do this'