[NEW] Add view-broadcast-member-list permission (#10753)

[NEW] Add permission `view-broadcast-member-list`
8 years ago · 8b875858ae
parent 1cbddee59b
commit 8b875858ae
6 changed files with 17 additions and 2 deletions
--- a/packages/rocketchat-api/server/v1/channels.js
+++ b/packages/rocketchat-api/server/v1/channels.js
@ -557,6 +557,10 @@ RocketChat.API.v1.addRoute('channels.members', { authRequired: true }, {
 			returnUsernames: true
 		});

+		if (findResult.broadcast && !RocketChat.authz.hasPermission(this.userId, 'view-broadcast-member-list')) {
+			return RocketChat.API.v1.unauthorized();
+		}
+
 		const { offset, count } = this.getPaginationItems();
 		const { sort } = this.parseJsonQuery();

--- a/packages/rocketchat-api/server/v1/groups.js
+++ b/packages/rocketchat-api/server/v1/groups.js
@ -449,6 +449,11 @@ RocketChat.API.v1.addRoute('groups.listAll', { authRequired: true }, {
 RocketChat.API.v1.addRoute('groups.members', { authRequired: true }, {
 	get() {
 		const findResult = findPrivateGroupByIdOrName({ params: this.requestParams(), userId: this.userId });
+
+		if (findResult._room.broadcast && !RocketChat.authz.hasPermission(this.userId, 'view-broadcast-member-list')) {
+			return RocketChat.API.v1.unauthorized();
+		}
+
 		const { offset, count } = this.getPaginationItems();
 		const { sort } = this.parseJsonQuery();

--- a/packages/rocketchat-authorization/server/startup.js
+++ b/packages/rocketchat-authorization/server/startup.js
@ -67,7 +67,8 @@ Meteor.startup(function() {
 		{ _id: 'view-statistics',               roles : ['admin'] },
 		{ _id: 'view-user-administration',      roles : ['admin'] },
 		{ _id: 'preview-c-room',                roles : ['admin', 'user', 'anonymous'] },
-		{ _id: 'view-outside-room',             roles : ['admin', 'owner', 'moderator', 'user'] }
+		{ _id: 'view-outside-room',             roles : ['admin', 'owner', 'moderator', 'user'] },
+		{ _id: 'view-broadcast-member-list',    roles : ['admin', 'owner', 'moderator'] }
 	];

 	for (const permission of permissions) {
--- a/packages/rocketchat-i18n/i18n/en.i18n.json
+++ b/packages/rocketchat-i18n/i18n/en.i18n.json
@ -2322,6 +2322,7 @@
  "Video_message": "Video message",
  "Videocall_declined": "Video Call Declined.",
  "Videocall_enabled": "Video Call Enabled",
+  "view-broadcast-member-list": "View Members List in Broadcast Room",
  "view-c-room": "View Public Channel",
  "view-c-room_description": "Permission to view public channels",
  "view-d-room": "View Direct Messages",
--- a/packages/rocketchat-lib/client/defaultTabBars.js
+++ b/packages/rocketchat-lib/client/defaultTabBars.js
@ -33,7 +33,7 @@ RocketChat.TabBar.addButton({
 			return true;
 		}

-		return RocketChat.authz.hasRole(Meteor.userId(), ['admin', 'moderator', 'owner'], rid);
+		return RocketChat.authz.hasAllPermission('view-broadcast-member-list', rid);
 	}
 });

--- a/server/methods/getUsersOfRoom.js
+++ b/server/methods/getUsersOfRoom.js
@ -9,6 +9,10 @@ Meteor.methods({
 			throw new Meteor.Error('error-invalid-room', 'Invalid room', { method: 'getUsersOfRoom' });
 		}

+		if (room.broadcast && !RocketChat.authz.hasPermission(Meteor.userId(), 'view-broadcast-member-list', roomId)) {
+			throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'getUsersOfRoom' });
+		}
+
 		const filter = (record) => {
 			if (!record._user) {
 				console.log('Subscription without user', record._id);