From 84633d2a922d84ed689a1d716d7d5a5fabd30d7d Mon Sep 17 00:00:00 2001 From: Marcos Spessatto Defendi Date: Sat, 2 Mar 2019 17:04:00 -0300 Subject: [PATCH] [NEW] Permission to assign roles (#13597) * Fix roles and integrations * Change name of permission and remove permission of manage integrations to bot role --- packages/rocketchat-authorization/server/startup.js | 3 ++- packages/rocketchat-i18n/i18n/en.i18n.json | 1 + packages/rocketchat-integrations/server/api/api.js | 1 - packages/rocketchat-lib/server/functions/saveUser.js | 7 +++++++ 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/packages/rocketchat-authorization/server/startup.js b/packages/rocketchat-authorization/server/startup.js index f768a3770af..6136ecd5d1a 100644 --- a/packages/rocketchat-authorization/server/startup.js +++ b/packages/rocketchat-authorization/server/startup.js @@ -16,6 +16,7 @@ Meteor.startup(function() { { _id: 'api-bypass-rate-limit', roles : ['admin', 'bot'] }, { _id: 'archive-room', roles : ['admin', 'owner'] }, { _id: 'assign-admin-role', roles : ['admin'] }, + { _id: 'assign-roles', roles : ['admin'] }, { _id: 'ban-user', roles : ['admin', 'owner', 'moderator'] }, { _id: 'bulk-create-c', roles : ['admin'] }, { _id: 'bulk-register-user', roles : ['admin'] }, @@ -44,7 +45,7 @@ Meteor.startup(function() { { _id: 'manage-assets', roles : ['admin'] }, { _id: 'manage-emoji', roles : ['admin'] }, { _id: 'manage-integrations', roles : ['admin'] }, - { _id: 'manage-own-integrations', roles : ['admin', 'bot'] }, + { _id: 'manage-own-integrations', roles : ['admin'] }, { _id: 'manage-oauth-apps', roles : ['admin'] }, { _id: 'mention-all', roles : ['admin', 'owner', 'moderator', 'user'] }, { _id: 'mention-here', roles : ['admin', 'owner', 'moderator', 'user'] }, diff --git a/packages/rocketchat-i18n/i18n/en.i18n.json b/packages/rocketchat-i18n/i18n/en.i18n.json index 99833b8c981..22faa221bb6 100644 --- a/packages/rocketchat-i18n/i18n/en.i18n.json +++ b/packages/rocketchat-i18n/i18n/en.i18n.json @@ -360,6 +360,7 @@ "assign-admin-role": "Assign Admin Role", "assign-admin-role_description": "Permission to assign the admin role to other users", "Assign_admin": "Assigning admin", + "assign-roles": "Assign Roles", "at": "at", "At_least_one_added_token_is_required_by_the_user": "At least one added token is required by the user", "AtlassianCrowd": "Atlassian Crowd", diff --git a/packages/rocketchat-integrations/server/api/api.js b/packages/rocketchat-integrations/server/api/api.js index b330db9aeb5..a86e77f7b1c 100644 --- a/packages/rocketchat-integrations/server/api/api.js +++ b/packages/rocketchat-integrations/server/api/api.js @@ -98,7 +98,6 @@ function buildSandbox(store = {}) { } }, }; - Object.keys(Models).filter((k) => !k.startsWith('_')).forEach((k) => sandbox[k] = Models[k]); return { store, sandbox }; } diff --git a/packages/rocketchat-lib/server/functions/saveUser.js b/packages/rocketchat-lib/server/functions/saveUser.js index d9b52d6582e..c334678af46 100644 --- a/packages/rocketchat-lib/server/functions/saveUser.js +++ b/packages/rocketchat-lib/server/functions/saveUser.js @@ -110,6 +110,13 @@ function validateUserEditing(userId, userData) { const canEditOtherUserInfo = hasPermission(userId, 'edit-other-user-info'); const canEditOtherUserPassword = hasPermission(userId, 'edit-other-user-password'); + if (userData.roles && !hasPermission(userId, 'assign-roles')) { + throw new Meteor.Error('error-action-not-allowed', 'Assign roles is not allowed', { + method: 'insertOrUpdateUser', + action: 'Assign_role', + }); + } + if (!settings.get('Accounts_AllowUserProfileChange') && !canEditOtherUserInfo && !canEditOtherUserPassword) { throw new Meteor.Error('error-action-not-allowed', 'Edit user profile is not allowed', { method: 'insertOrUpdateUser',