[FIX] Non admin cannot add custom avatar to group (#18960)

Co-authored-by: Pierre Lehnen <pierre.lehnen@rocket.chat>
5 years ago · a511abd58b
parent aa922cfb90
commit a511abd58b
4 changed files with 23 additions and 1 deletions
--- a/app/channel-settings/server/methods/saveRoomSettings.js
+++ b/app/channel-settings/server/methods/saveRoomSettings.js
@ -104,6 +104,14 @@ const validators = {
 			});
 		}
 	},
+	roomAvatar({ userId, rid }) {
+		if (!hasPermission(userId, 'edit-room-avatar', rid)) {
+			throw new Meteor.Error('error-action-not-allowed', 'Editing a room avatar is not allowed', {
+				method: 'saveRoomSettings',
+				action: 'Editing_room',
+			});
+		}
+	},
 };

 const settingSavers = {
--- a/app/file-upload/server/lib/FileUpload.js
+++ b/app/file-upload/server/lib/FileUpload.js
@ -181,7 +181,12 @@ export const FileUpload = {
 		if (settings.get('Accounts_AvatarResize') !== true) {
 			return;
 		}
-		if (Meteor.userId() !== file.userId && !hasPermission(Meteor.userId(), 'edit-other-user-info')) {
+
+		if (file.rid) {
+			if (!hasPermission(Meteor.userId(), 'edit-room-avatar', file.rid)) {
+				throw new Meteor.Error('error-not-allowed', 'Change avatar is not allowed');
+			}
+		} else if (Meteor.userId() !== file.userId && !hasPermission(Meteor.userId(), 'edit-other-user-info')) {
 			throw new Meteor.Error('error-not-allowed', 'Change avatar is not allowed');
 		}

--- a/app/lib/server/functions/setRoomAvatar.js
+++ b/app/lib/server/functions/setRoomAvatar.js
@ -12,6 +12,9 @@ export const setRoomAvatar = function(rid, dataURI, user) {

 	if (!dataURI) {
 		fileStore.deleteByRoomId(rid);
+		Messages.createRoomSettingsChangedWithTypeRoomIdMessageAndUser('room_changed_avatar', rid, '', user);
+		Notifications.notifyLogged('updateAvatar', { rid });
+
 		return Rooms.unsetAvatarData(rid);
 	}

@ -27,6 +30,10 @@ export const setRoomAvatar = function(rid, dataURI, user) {
 	};

 	fileStore.insert(file, buffer, (err, result) => {
+		if (err) {
+			throw err;
+		}
+
 		Meteor.setTimeout(function() {
 			if (current) {
 				fileStore.deleteById(current._id);
--- a/packages/rocketchat-i18n/i18n/en.i18n.json
+++ b/packages/rocketchat-i18n/i18n/en.i18n.json
@ -1354,6 +1354,8 @@
  "edit-privileged-setting": "Edit privileged Setting",
  "edit-privileged-setting_description": "Permission to edit settings",
  "edit-room": "Edit Room",
+  "edit-room-avatar": "Edit Room Avatar",
+  "edit-room-avatar_description": "Permission to edit a room's avatar.",
  "edit-room_description": "Permission to edit a room's name, topic, type (private or public status) and status (active or archived)",
  "edit-room-retention-policy": "Edit Room's Retention Policy",
  "edit-room-retention-policy_description": "Permission to edit a room’s retention policy, to automatically delete messages in it",