Regression: Invite links working for group DMs (#17056)

* Regression: Invite links working for group DMs * Protect invite link creation Co-authored-by: Diego Sampaio <chinello@gmail.com>
5 years ago · ba602bcabb
parent 0e3883e4cc
commit ba602bcabb
4 changed files with 21 additions and 4 deletions
--- a/app/invites/server/functions/findOrCreateInvite.js
+++ b/app/invites/server/functions/findOrCreateInvite.js
@ -3,9 +3,10 @@ import { Random } from 'meteor/random';

 import { hasPermission } from '../../../authorization';
 import { Notifications } from '../../../notifications';
-import { Invites, Subscriptions } from '../../../models';
+import { Invites, Subscriptions, Rooms } from '../../../models/server';
 import { settings } from '../../../settings';
 import { getURL } from '../../../utils/lib/getURL';
+import { roomTypes, RoomMemberActions } from '../../../utils/server';

 function getInviteUrl(invite) {
 	const { _id } = invite;
@ -40,6 +41,11 @@ export const findOrCreateInvite = (userId, invite) => {
 		throw new Meteor.Error('error-invalid-room', 'The rid field is invalid', { method: 'findOrCreateInvite', field: 'rid' });
 	}

+	const room = Rooms.findOneById(invite.rid);
+	if (!roomTypes.getConfig(room.t).allowMemberAction(room, RoomMemberActions.INVITE)) {
+		throw new Meteor.Error('error-room-type-not-allowed', 'Cannot create invite links for this room type', { method: 'findOrCreateInvite' });
+	}
+
 	let { days, maxUses } = invite;

 	if (!possibleDays.includes(days)) {
--- a/app/invites/server/functions/useInviteToken.js
+++ b/app/invites/server/functions/useInviteToken.js
@ -3,6 +3,7 @@ import { Meteor } from 'meteor/meteor';
 import { Invites, Users, Subscriptions } from '../../../models/server';
 import { validateInviteToken } from './validateInviteToken';
 import { addUserToRoom } from '../../../lib/server/functions/addUserToRoom';
+import { roomTypes, RoomMemberActions } from '../../../utils/server';

 export const useInviteToken = (userId, token) => {
 	if (!userId) {
@ -15,6 +16,10 @@ export const useInviteToken = (userId, token) => {

 	const { inviteData, room } = validateInviteToken(token);

+	if (!roomTypes.getConfig(room.t).allowMemberAction(room, RoomMemberActions.INVITE)) {
+		throw new Meteor.Error('error-room-type-not-allowed', 'Can\'t join room of this type via invite', { method: 'useInviteToken', field: 'token' });
+	}
+
 	const user = Users.findOneById(userId);
 	Users.updateInviteToken(user._id, token);

--- a/app/lib/server/functions/addUserToRoom.js
+++ b/app/lib/server/functions/addUserToRoom.js
@ -2,11 +2,17 @@ import { Meteor } from 'meteor/meteor';

 import { Rooms, Subscriptions, Messages } from '../../../models';
 import { callbacks } from '../../../callbacks';
+import { roomTypes, RoomMemberActions } from '../../../utils/server';

 export const addUserToRoom = function(rid, user, inviter, silenced) {
 	const now = new Date();
 	const room = Rooms.findOneById(rid);

+	const roomConfig = roomTypes.getConfig(room.t);
+	if (!roomConfig.allowMemberAction(room, RoomMemberActions.JOIN) && !roomConfig.allowMemberAction(room, RoomMemberActions.INVITE)) {
+		return;
+	}
+
 	// Check if user is already in room
 	const subscription = Subscriptions.findOneByRoomIdAndUserId(rid, user._id);
 	if (subscription) {
--- a/app/ui-flextab/client/tabs/membersList.html
+++ b/app/ui-flextab/client/tabs/membersList.html
@ -51,10 +51,10 @@
 		<div class="rc-button__group rc-button__group--stretch">
 			{{#if canAddUser}}
 				<button class="rc-button rc-button--primary js-add">{{> icon block="rc-input__icon-svg" icon="plus"}}{{_ "Add_users"}}</button>
-			{{/if}}

-			{{#if canInviteUser}}
-				<button class="rc-button rc-button--primary js-invite">{{> icon block="rc-input__icon-svg" icon="user-plus"}}{{_ "Invite_Users"}}</button>
+				{{#if canInviteUser}}
+					<button class="rc-button rc-button--primary js-invite">{{> icon block="rc-input__icon-svg" icon="user-plus"}}{{_ "Invite_Users"}}</button>
+				{{/if}}
 			{{/if}}
 		</div>