diff --git a/packages/rocketchat-authorization/server/startup.coffee b/packages/rocketchat-authorization/server/startup.coffee index a8072af4f3c..c7cd71d4072 100644 --- a/packages/rocketchat-authorization/server/startup.coffee +++ b/packages/rocketchat-authorization/server/startup.coffee @@ -72,6 +72,11 @@ Meteor.startup -> { _id: 'delete-d', roles : ['admin', 'site-moderator']} + { _id: 'bulk-register-user', + roles : ['admin']} + + { _id: 'bulk-create-c', + roles : ['admin']} ] #alanning:roles diff --git a/server/methods/createChannel.coffee b/server/methods/createChannel.coffee index c3dff18c170..817412e5083 100644 --- a/server/methods/createChannel.coffee +++ b/server/methods/createChannel.coffee @@ -14,7 +14,7 @@ Meteor.methods now = new Date() user = Meteor.user() - members.push user.username + members.push user.username if user.username not in members # avoid duplicate names if RocketChat.models.Rooms.findOneByName name diff --git a/server/methods/registerUser.coffee b/server/methods/registerUser.coffee index ec9baf84f49..4a73cd73167 100644 --- a/server/methods/registerUser.coffee +++ b/server/methods/registerUser.coffee @@ -10,3 +10,5 @@ Meteor.methods if userData.email Accounts.sendVerificationEmail(userId, userData.email); + + return userId diff --git a/server/restapi/restapi.coffee b/server/restapi/restapi.coffee index 90ba65e19b1..55f4c2bea0f 100644 --- a/server/restapi/restapi.coffee +++ b/server/restapi/restapi.coffee @@ -99,23 +99,31 @@ NOTE: remove room is NOT recommended; use Meteor.reset() to clear db and re-se ### Api.addRoute 'bulk/register', authRequired: true, post: - roleRequired: ['testagent', 'adminautomation'] + # restivus 0.8.4 does not support alanning:roles using groups + #roleRequired: ['testagent', 'adminautomation'] action: -> - try - Api.testapiValidateUsers @bodyParams.users - this.response.setTimeout (500 * @bodyParams.users.length) - ids = [] - endCount = @bodyParams.users.length - 1 - for incoming, i in @bodyParams.users - ids[i] = Meteor.call 'registerUser', incoming - Meteor.runAsUser ids[i].uid, () => - Meteor.call 'setUsername', incoming.name - Meteor.call 'joinDefaultChannels' + if RocketChat.authz.hasPermission(@userId, 'bulk-register-user') + try + + Api.testapiValidateUsers @bodyParams.users + this.response.setTimeout (500 * @bodyParams.users.length) + ids = [] + endCount = @bodyParams.users.length - 1 + for incoming, i in @bodyParams.users + ids[i] = {uid: Meteor.call 'registerUser', incoming} + Meteor.runAsUser ids[i].uid, () => + Meteor.call 'setUsername', incoming.name + Meteor.call 'joinDefaultChannels' + + status: 'success', ids: ids + catch e + statusCode: 400 # bad request or other errors + body: status: 'fail', message: e.name + ' :: ' + e.message + else + console.log '[restapi] bulk/register -> '.red, "User does not have 'bulk-register-user' permission" + statusCode: 403 + body: status: 'error', message: 'You do not have permission to do this' - status: 'success', ids: ids - catch e - statusCode: 400 # bad request or other errors - body: status: 'fail', message: e.name + ' :: ' + e.message @@ -136,7 +144,7 @@ Api.testapiValidateRooms = (rooms) -> @apiName createRoom @apiGroup TestAndAdminAutomation @apiVersion 0.0.1 -@apiParam {json} rooms An array of rooms in the body of the POST. +@apiParam {json} rooms An array of rooms in the body of the POST. 'name' is room name, 'members' is array of usernames @apiParamExample {json} POST Request Body example: { 'rooms':[ {'name': 'room1', @@ -163,18 +171,26 @@ NOTE: remove room is NOT recommended; use Meteor.reset() to clear db and re-se ### Api.addRoute 'bulk/createRoom', authRequired: true, post: - roleRequired: ['testagent', 'adminautomation'] + # restivus 0.8.4 does not support alanning:roles using groups + #roleRequired: ['testagent', 'adminautomation'] action: -> - try - this.response.setTimeout (1000 * @bodyParams.rooms.length) - Api.testapiValidateRooms @bodyParams.rooms - ids = [] - Meteor.runAsUser this.userId, () => - (ids[i] = Meteor.call 'createChannel', incoming.name, incoming.members) for incoming,i in @bodyParams.rooms - status: 'success', ids: ids # need to handle error - catch e - statusCode: 400 # bad request or other errors - body: status: 'fail', message: e.name + ' :: ' + e.message + # user must also have create-c permission because + # createChannel method requires it + if RocketChat.authz.hasPermission(@userId, 'bulk-create-c') + try + this.response.setTimeout (1000 * @bodyParams.rooms.length) + Api.testapiValidateRooms @bodyParams.rooms + ids = [] + Meteor.runAsUser this.userId, () => + (ids[i] = Meteor.call 'createChannel', incoming.name, incoming.members) for incoming,i in @bodyParams.rooms + status: 'success', ids: ids # need to handle error + catch e + statusCode: 400 # bad request or other errors + body: status: 'fail', message: e.name + ' :: ' + e.message + else + console.log '[restapi] bulk/createRoom -> '.red, "User does not have 'bulk-create-c' permission" + statusCode: 403 + body: status: 'error', message: 'You do not have permission to do this'