Merge branch 'master' into develop

4 years ago · bc506931e7
parent 156d77d231 03394ccaa5
commit bc506931e7
6 changed files with 1335 additions and 929 deletions
--- a/.github/history-manual.json
+++ b/.github/history-manual.json
@ -115,5 +115,13 @@
 			"matheusbsilva137",
 			"pierre-lehnen-rc"
 		]
+	}],
+	"3.18.2": [{
+		"title": "[FIX] Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)",
+		"userLogin": "sampaiodiego",
+		"contributors": [
+			"sampaiodiego",
+			"pierre-lehnen-rc"
+		]
 	}]
 }
--- a/.github/history.json
+++ b/.github/history.json
@ -64550,6 +64550,83 @@
        "4.2"
      ],
      "pull_requests": []
+    },
+    "3.18.1": {
+      "node_version": "12.22.1",
+      "npm_version": "6.14.1",
+      "apps_engine_version": "1.27.1",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0",
+        "4.2"
+      ],
+      "pull_requests": [
+        {
+          "pr": "23091",
+          "title": "Regression: Auth banner for EE",
+          "userLogin": "g-thome",
+          "description": "Dimisses auth banners assigned to EE admins and prevents new ones from appearing.",
+          "milestone": "3.18.1",
+          "contributors": [
+            "g-thome",
+            "casalsgh",
+            "web-flow"
+          ]
+        },
+        {
+          "pr": "23089",
+          "title": "[FIX] Change way emails are validated on livechat registerGuest method",
+          "userLogin": "KevLehman",
+          "milestone": "3.18.1",
+          "contributors": [
+            "KevLehman",
+            "web-flow"
+          ]
+        },
+        {
+          "pr": "23100",
+          "title": "[IMPROVE] Change HTTP and Method logs to level INFO",
+          "userLogin": "sampaiodiego",
+          "milestone": "3.18.1",
+          "contributors": [
+            "sampaiodiego"
+          ]
+        }
+      ]
+    },
+    "3.18.2": {
+      "node_version": "12.22.1",
+      "npm_version": "6.14.1",
+      "apps_engine_version": "1.27.1",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0",
+        "4.2"
+      ],
+      "pull_requests": [
+        {
+          "pr": "23307",
+          "title": "Regression: Change some logs to new format",
+          "userLogin": "KevLehman",
+          "milestone": "3.18.2",
+          "contributors": [
+            "KevLehman"
+          ]
+        },
+        {
+          "pr": "23280",
+          "title": "[FIX] Update visitor info on email reception based on current inbox settings",
+          "userLogin": "KevLehman",
+          "milestone": "3.18.2",
+          "contributors": [
+            "KevLehman",
+            "murtaza98",
+            "web-flow"
+          ]
+        }
+      ]
    }
  }
-}
+}
--- a/HISTORY.md
+++ b/HISTORY.md
--- a/app/lib/server/functions/saveUser.js
+++ b/app/lib/server/functions/saveUser.js
@ -142,15 +142,21 @@ function validateUserData(userId, userData) {
 	}
 }

-function validateUserEditing(userId, userData) {
+/**
+ * Validate permissions to edit user fields
+ *
+ * @param {string} userId
+ * @param {{ _id: string, roles: string[], username: string, name: string, statusText: string, email: string, password: string}} userData
+ */
+export function validateUserEditing(userId, userData) {
 	const editingMyself = userData._id && userId === userData._id;

 	const canEditOtherUserInfo = hasPermission(userId, 'edit-other-user-info');
 	const canEditOtherUserPassword = hasPermission(userId, 'edit-other-user-password');
 	const user = Users.findOneById(userData._id);

-	const isEditingUserRoles = (previousRoles, newRoles) => !_.isEqual(_.sortBy(previousRoles), _.sortBy(newRoles));
-	const isEditingField = (previousValue, newValue) => newValue !== previousValue;
+	const isEditingUserRoles = (previousRoles, newRoles) => typeof newRoles !== 'undefined' && !_.isEqual(_.sortBy(previousRoles), _.sortBy(newRoles));
+	const isEditingField = (previousValue, newValue) => typeof newValue !== 'undefined' && newValue !== previousValue;

 	if (isEditingUserRoles(user.roles, userData.roles) && !hasPermission(userId, 'assign-roles')) {
 		throw new Meteor.Error('error-action-not-allowed', 'Assign roles is not allowed', {
--- a/server/methods/saveUserProfile.js
+++ b/server/methods/saveUserProfile.js
@ -3,6 +3,7 @@ import { Match, check } from 'meteor/check';
 import { Accounts } from 'meteor/accounts-base';

 import { saveCustomFields, passwordPolicy } from '../../app/lib/server';
+import { validateUserEditing } from '../../app/lib/server/functions/saveUser';
 import { Users } from '../../app/models/server';
 import { settings as rcSettings } from '../../app/settings/server';
 import { twoFactorRequired } from '../../app/2fa/server/twoFactorRequired';
@ -23,6 +24,15 @@ function saveUserProfile(settings, customFields) {
 		});
 	}

+	validateUserEditing(this.userId, {
+		_id: this.userId,
+		email: settings.email,
+		username: settings.username,
+		name: settings.realname,
+		password: settings.newPassword,
+		statusText: settings.statusText,
+	});
+
 	const user = Users.findOneById(this.userId);

 	if (settings.realname || settings.username) {
--- a/tests/end-to-end/api/01-users.js
+++ b/tests/end-to-end/api/01-users.js
@ -1375,6 +1375,101 @@ describe('[Users]', function() {
 		reservedWords.forEach((name) => {
 			failUpdateUserOwnBasicInfo(name);
 		});
+
+		it('should throw an error if not allowed to change real name', async () => {
+			await updateSetting('Accounts_AllowRealNameChange', false);
+
+			await request.post(api('users.updateOwnBasicInfo'))
+				.set(credentials)
+				.send({
+					data: {
+						name: 'edited name',
+					},
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+
+			await updateSetting('Accounts_AllowRealNameChange', true);
+		});
+
+		it('should throw an error if not allowed to change username', async () => {
+			await updateSetting('Accounts_AllowUsernameChange', false);
+
+			await request.post(api('users.updateOwnBasicInfo'))
+				.set(credentials)
+				.send({
+					data: {
+						username: 'edited.user.name',
+					},
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+
+			await updateSetting('Accounts_AllowUsernameChange', true);
+		});
+
+		it('should throw an error if not allowed to change statusText', async () => {
+			await updateSetting('Accounts_AllowUserStatusMessageChange', false);
+
+			await request.post(api('users.updateOwnBasicInfo'))
+				.set(credentials)
+				.send({
+					data: {
+						statusText: 'My custom status',
+					},
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+
+			await updateSetting('Accounts_AllowUserStatusMessageChange', true);
+		});
+
+		it('should throw an error if not allowed to change email', async () => {
+			await updateSetting('Accounts_AllowEmailChange', false);
+
+			await request.post(api('users.updateOwnBasicInfo'))
+				.set(credentials)
+				.send({
+					data: {
+						email: 'changed@email.com',
+					},
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+
+			await updateSetting('Accounts_AllowEmailChange', true);
+		});
+
+		it('should throw an error if not allowed to change password', async () => {
+			await updateSetting('Accounts_AllowPasswordChange', false);
+
+			await request.post(api('users.updateOwnBasicInfo'))
+				.set(credentials)
+				.send({
+					data: {
+						newPassword: 'MyNewPassw0rd',
+					},
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+
+			await updateSetting('Accounts_AllowPasswordChange', true);
+		});
 	});

 	describe('[/users.setPreferences]', () => {