Merge pull request #1387 from RocketChat/roles_rest_api

Add permission checks to bulk rest api methods
10 years ago · cf329eb59c
parent 91f224bf69 55efdea054
commit cf329eb59c
4 changed files with 51 additions and 28 deletions
--- a/packages/rocketchat-authorization/server/startup.coffee
+++ b/packages/rocketchat-authorization/server/startup.coffee
@ -72,6 +72,11 @@ Meteor.startup ->
 		{ _id: 'delete-d',
 		roles : ['admin', 'site-moderator']}

+		{ _id: 'bulk-register-user',
+		roles : ['admin']}
+
+		{ _id: 'bulk-create-c',
+		roles : ['admin']}
 	]

 	#alanning:roles
--- a/server/methods/createChannel.coffee
+++ b/server/methods/createChannel.coffee
@ -14,7 +14,7 @@ Meteor.methods
 		now = new Date()
 		user = Meteor.user()

-		members.push user.username
+		members.push user.username if user.username not in members

 		# avoid duplicate names
 		if RocketChat.models.Rooms.findOneByName name
--- a/server/methods/registerUser.coffee
+++ b/server/methods/registerUser.coffee
@ -10,3 +10,5 @@ Meteor.methods

 		if userData.email
 			Accounts.sendVerificationEmail(userId, userData.email);
+
+		return userId
--- a/server/restapi/restapi.coffee
+++ b/server/restapi/restapi.coffee
@ -99,23 +99,31 @@ NOTE:   remove room is NOT recommended; use Meteor.reset() to clear db and re-se
 ###
 Api.addRoute 'bulk/register', authRequired: true,
 	post:
-		roleRequired: ['testagent', 'adminautomation']
+		# restivus 0.8.4 does not support alanning:roles using groups
+		#roleRequired: ['testagent', 'adminautomation']
 		action: ->
-			try
-				Api.testapiValidateUsers  @bodyParams.users
-				this.response.setTimeout (500 * @bodyParams.users.length)
-				ids = []
-				endCount = @bodyParams.users.length - 1
-				for incoming, i in @bodyParams.users
-					ids[i] = Meteor.call 'registerUser', incoming
-					Meteor.runAsUser ids[i].uid, () =>
-						Meteor.call 'setUsername', incoming.name
-						Meteor.call 'joinDefaultChannels'
+			if RocketChat.authz.hasPermission(@userId, 'bulk-register-user') 
+				try
+
+					Api.testapiValidateUsers  @bodyParams.users
+					this.response.setTimeout (500 * @bodyParams.users.length)
+					ids = []
+					endCount = @bodyParams.users.length - 1
+					for incoming, i in @bodyParams.users
+					 	ids[i] = {uid: Meteor.call 'registerUser', incoming}
+					 	Meteor.runAsUser ids[i].uid, () =>
+					 		Meteor.call 'setUsername', incoming.name
+					 		Meteor.call 'joinDefaultChannels'
+
+					status: 'success', ids: ids
+				catch e
+					statusCode: 400    # bad request or other errors
+					body: status: 'fail', message: e.name + ' :: ' + e.message
+			else
+				console.log '[restapi] bulk/register -> '.red, "User does not have 'bulk-register-user' permission"
+				statusCode: 403    
+				body: status: 'error', message: 'You do not have permission to do this'

-				status: 'success', ids: ids
-			catch e
-				statusCode: 400    # bad request or other errors
-				body: status: 'fail', message: e.name + ' :: ' + e.message



@ -136,7 +144,7 @@ Api.testapiValidateRooms =  (rooms) ->
@apiName createRoom
@apiGroup TestAndAdminAutomation
@apiVersion 0.0.1
-@apiParam {json} rooms An array of rooms in the body of the POST.
+@apiParam {json} rooms An array of rooms in the body of the POST. 'name' is room name, 'members' is array of usernames 
@apiParamExample {json} POST Request Body example:
  {
    'rooms':[ {'name': 'room1',
@ -163,18 +171,26 @@ NOTE:   remove room is NOT recommended; use Meteor.reset() to clear db and re-se
 ###
 Api.addRoute 'bulk/createRoom', authRequired: true,
 	post:
-		roleRequired: ['testagent', 'adminautomation']
+		# restivus 0.8.4 does not support alanning:roles using groups
+		#roleRequired: ['testagent', 'adminautomation']
 		action: ->
-			try
-				this.response.setTimeout (1000 * @bodyParams.rooms.length)
-				Api.testapiValidateRooms @bodyParams.rooms
-				ids = []
-				Meteor.runAsUser this.userId, () =>
-					(ids[i] = Meteor.call 'createChannel', incoming.name, incoming.members) for incoming,i in @bodyParams.rooms
-				status: 'success', ids: ids   # need to handle error
-			catch e
-				statusCode: 400    # bad request or other errors
-				body: status: 'fail', message: e.name + ' :: ' + e.message
+			# user must also have create-c permission because 
+			# createChannel method requires it
+			if RocketChat.authz.hasPermission(@userId, 'bulk-create-c') 
+				try
+					this.response.setTimeout (1000 * @bodyParams.rooms.length)
+					Api.testapiValidateRooms @bodyParams.rooms
+					ids = []
+					Meteor.runAsUser this.userId, () =>
+						(ids[i] = Meteor.call 'createChannel', incoming.name, incoming.members) for incoming,i in @bodyParams.rooms
+					status: 'success', ids: ids   # need to handle error
+				catch e
+					statusCode: 400    # bad request or other errors
+					body: status: 'fail', message: e.name + ' :: ' + e.message
+			else
+				console.log '[restapi] bulk/createRoom -> '.red, "User does not have 'bulk-create-c' permission"
+				statusCode: 403    
+				body: status: 'error', message: 'You do not have permission to do this'