apitech
/
Rocket.Chat
mirror of https://github.com/RocketChat/Rocket.Chat
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[FIX] Users can access public discussions inside private channels they are not members of (#25981)

Browse Source
pull/26481/head^2
Luciano Marcos Pierdona Junior 3 years ago committed by GitHub
parent 7f66816017
commit a1476d0c02
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 5 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 19
      apps/meteor/app/lib/server/methods/getMessages.ts
  2. 7
      apps/meteor/server/methods/loadHistory.js
  3. 8
      apps/meteor/server/methods/loadSurroundingMessages.js

19
apps/meteor/app/lib/server/methods/getMessages.ts
Unescape View File

@ -3,7 +3,7 @@ import { check } from 'meteor/check';
import type { IMessage } from '@rocket.chat/core-typings';
import { canAccessRoomId } from '../../../authorization/server';
import { Messages } from '../../../models/server';
import { Messages, Rooms } from '../../../models/server';
Meteor.methods({
getMessages(messages) {
@ -16,9 +16,22 @@ Meteor.methods({
const msgs = Messages.findVisibleByIds(messages).fetch() as IMessage[];
const rids = [...new Set(msgs.map((m) => m.rid))];
const prids = [
...new Set(
rids.reduce<string[]>((prids, rid) => {
const room = Rooms.findOneById(rid);
if (!rids.every((_id) => canAccessRoomId(_id, uid))) {
throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'getSingleMessage' });
if (room?.prid) {
prids.push(room.prid);
}
return prids;
}, []),
),
];
if (!rids.every((_id) => canAccessRoomId(_id, uid)) || !prids.every((_id) => canAccessRoomId(_id, uid))) {
throw new Meteor.Error('error-not-allowed', 'Not allowed', 'getSingleMessage');
}
return msgs;

7
apps/meteor/server/methods/loadHistory.js
Unescape View File

@ -2,7 +2,7 @@ import { Meteor } from 'meteor/meteor';
import { check } from 'meteor/check';
import { Subscriptions, Rooms } from '../../app/models/server';
import { canAccessRoom, hasPermission, roomAccessAttributes } from '../../app/authorization/server';
import { canAccessRoom, canAccessRoomId, hasPermission, roomAccessAttributes } from '../../app/authorization/server';
import { settings } from '../../app/settings/server';
import { loadMessageHistory } from '../../app/lib/server';
@ -19,6 +19,7 @@ Meteor.methods({
const fromId = Meteor.userId();
const room = Rooms.findOneById(rid, { fields: { ...roomAccessAttributes, t: 1 } });
if (!room) {
return false;
}
@ -27,6 +28,10 @@ Meteor.methods({
return false;
}
if (room.prid && !canAccessRoomId(room.prid, fromId)) {
return false;
}
const canAnonymous = settings.get('Accounts_AllowAnonymousRead');
const canPreview = hasPermission(fromId, 'preview-c-room');

8
apps/meteor/server/methods/loadSurroundingMessages.js
Unescape View File

@ -2,7 +2,7 @@ import { Meteor } from 'meteor/meteor';
import { check } from 'meteor/check';
import { canAccessRoomId } from '../../app/authorization/server';
import { Messages } from '../../app/models/server';
import { Messages, Rooms } from '../../app/models/server';
import { settings } from '../../app/settings/server';
import { normalizeMessagesForUser } from '../../app/utils/server/lib/normalizeMessagesForUser';
@ -33,6 +33,12 @@ Meteor.methods({
return false;
}
const room = Rooms.findOneById(message.rid);
if (room.prid && !canAccessRoomId(room.prid, fromId)) {
return false;
}
limit -= 1;
const options = {

Write Preview
Loading…
Cancel
Save