From 35506a5a216caee84e35faa984a28b203c784b09 Mon Sep 17 00:00:00 2001 From: Reid Wakida Date: Wed, 11 Nov 2015 14:59:53 -1000 Subject: [PATCH 1/2] Update rest bulk api to work with backend changes and remove role requirements because restivus is not compatible with alanning:roles with groups --- server/methods/createChannel.coffee | 2 +- server/methods/registerUser.coffee | 2 ++ server/restapi/restapi.coffee | 14 +++++++------- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/server/methods/createChannel.coffee b/server/methods/createChannel.coffee index c3dff18c170..817412e5083 100644 --- a/server/methods/createChannel.coffee +++ b/server/methods/createChannel.coffee @@ -14,7 +14,7 @@ Meteor.methods now = new Date() user = Meteor.user() - members.push user.username + members.push user.username if user.username not in members # avoid duplicate names if RocketChat.models.Rooms.findOneByName name diff --git a/server/methods/registerUser.coffee b/server/methods/registerUser.coffee index ec9baf84f49..4a73cd73167 100644 --- a/server/methods/registerUser.coffee +++ b/server/methods/registerUser.coffee @@ -10,3 +10,5 @@ Meteor.methods if userData.email Accounts.sendVerificationEmail(userId, userData.email); + + return userId diff --git a/server/restapi/restapi.coffee b/server/restapi/restapi.coffee index 90ba65e19b1..79abfe263c3 100644 --- a/server/restapi/restapi.coffee +++ b/server/restapi/restapi.coffee @@ -99,7 +99,7 @@ NOTE: remove room is NOT recommended; use Meteor.reset() to clear db and re-se ### Api.addRoute 'bulk/register', authRequired: true, post: - roleRequired: ['testagent', 'adminautomation'] + #roleRequired: ['testagent', 'adminautomation'] action: -> try Api.testapiValidateUsers @bodyParams.users @@ -107,10 +107,10 @@ Api.addRoute 'bulk/register', authRequired: true, ids = [] endCount = @bodyParams.users.length - 1 for incoming, i in @bodyParams.users - ids[i] = Meteor.call 'registerUser', incoming - Meteor.runAsUser ids[i].uid, () => - Meteor.call 'setUsername', incoming.name - Meteor.call 'joinDefaultChannels' + ids[i] = {uid: Meteor.call 'registerUser', incoming} + Meteor.runAsUser ids[i].uid, () => + Meteor.call 'setUsername', incoming.name + Meteor.call 'joinDefaultChannels' status: 'success', ids: ids catch e @@ -136,7 +136,7 @@ Api.testapiValidateRooms = (rooms) -> @apiName createRoom @apiGroup TestAndAdminAutomation @apiVersion 0.0.1 -@apiParam {json} rooms An array of rooms in the body of the POST. +@apiParam {json} rooms An array of rooms in the body of the POST. 'name' is room name, 'members' is array of usernames @apiParamExample {json} POST Request Body example: { 'rooms':[ {'name': 'room1', @@ -163,7 +163,7 @@ NOTE: remove room is NOT recommended; use Meteor.reset() to clear db and re-se ### Api.addRoute 'bulk/createRoom', authRequired: true, post: - roleRequired: ['testagent', 'adminautomation'] + #roleRequired: ['testagent', 'adminautomation'] action: -> try this.response.setTimeout (1000 * @bodyParams.rooms.length) From 55efdea054a290d194aa6ce7480a9548ec3477bd Mon Sep 17 00:00:00 2001 From: Reid Wakida Date: Wed, 11 Nov 2015 18:55:01 -1000 Subject: [PATCH 2/2] Adds 2 new permissions related to bulk user registration and bulk channel creation. Permissions are assigned admin role. The nimble:restivus package, used by REST api, does not support alanning:roles with 'groups'. It doesn't even use the alanning:roles API to check for roles. As a workaround, I removed restivus's rolesRequired check from the bulk api methods and added Rocketchat.authz.hasPermission checks. --- .../server/startup.coffee | 5 ++ server/restapi/restapi.coffee | 64 ++++++++++++------- 2 files changed, 45 insertions(+), 24 deletions(-) diff --git a/packages/rocketchat-authorization/server/startup.coffee b/packages/rocketchat-authorization/server/startup.coffee index a8072af4f3c..c7cd71d4072 100644 --- a/packages/rocketchat-authorization/server/startup.coffee +++ b/packages/rocketchat-authorization/server/startup.coffee @@ -72,6 +72,11 @@ Meteor.startup -> { _id: 'delete-d', roles : ['admin', 'site-moderator']} + { _id: 'bulk-register-user', + roles : ['admin']} + + { _id: 'bulk-create-c', + roles : ['admin']} ] #alanning:roles diff --git a/server/restapi/restapi.coffee b/server/restapi/restapi.coffee index 79abfe263c3..55f4c2bea0f 100644 --- a/server/restapi/restapi.coffee +++ b/server/restapi/restapi.coffee @@ -99,23 +99,31 @@ NOTE: remove room is NOT recommended; use Meteor.reset() to clear db and re-se ### Api.addRoute 'bulk/register', authRequired: true, post: + # restivus 0.8.4 does not support alanning:roles using groups #roleRequired: ['testagent', 'adminautomation'] action: -> - try - Api.testapiValidateUsers @bodyParams.users - this.response.setTimeout (500 * @bodyParams.users.length) - ids = [] - endCount = @bodyParams.users.length - 1 - for incoming, i in @bodyParams.users - ids[i] = {uid: Meteor.call 'registerUser', incoming} - Meteor.runAsUser ids[i].uid, () => - Meteor.call 'setUsername', incoming.name - Meteor.call 'joinDefaultChannels' + if RocketChat.authz.hasPermission(@userId, 'bulk-register-user') + try + + Api.testapiValidateUsers @bodyParams.users + this.response.setTimeout (500 * @bodyParams.users.length) + ids = [] + endCount = @bodyParams.users.length - 1 + for incoming, i in @bodyParams.users + ids[i] = {uid: Meteor.call 'registerUser', incoming} + Meteor.runAsUser ids[i].uid, () => + Meteor.call 'setUsername', incoming.name + Meteor.call 'joinDefaultChannels' + + status: 'success', ids: ids + catch e + statusCode: 400 # bad request or other errors + body: status: 'fail', message: e.name + ' :: ' + e.message + else + console.log '[restapi] bulk/register -> '.red, "User does not have 'bulk-register-user' permission" + statusCode: 403 + body: status: 'error', message: 'You do not have permission to do this' - status: 'success', ids: ids - catch e - statusCode: 400 # bad request or other errors - body: status: 'fail', message: e.name + ' :: ' + e.message @@ -163,18 +171,26 @@ NOTE: remove room is NOT recommended; use Meteor.reset() to clear db and re-se ### Api.addRoute 'bulk/createRoom', authRequired: true, post: + # restivus 0.8.4 does not support alanning:roles using groups #roleRequired: ['testagent', 'adminautomation'] action: -> - try - this.response.setTimeout (1000 * @bodyParams.rooms.length) - Api.testapiValidateRooms @bodyParams.rooms - ids = [] - Meteor.runAsUser this.userId, () => - (ids[i] = Meteor.call 'createChannel', incoming.name, incoming.members) for incoming,i in @bodyParams.rooms - status: 'success', ids: ids # need to handle error - catch e - statusCode: 400 # bad request or other errors - body: status: 'fail', message: e.name + ' :: ' + e.message + # user must also have create-c permission because + # createChannel method requires it + if RocketChat.authz.hasPermission(@userId, 'bulk-create-c') + try + this.response.setTimeout (1000 * @bodyParams.rooms.length) + Api.testapiValidateRooms @bodyParams.rooms + ids = [] + Meteor.runAsUser this.userId, () => + (ids[i] = Meteor.call 'createChannel', incoming.name, incoming.members) for incoming,i in @bodyParams.rooms + status: 'success', ids: ids # need to handle error + catch e + statusCode: 400 # bad request or other errors + body: status: 'fail', message: e.name + ' :: ' + e.message + else + console.log '[restapi] bulk/createRoom -> '.red, "User does not have 'bulk-create-c' permission" + statusCode: 403 + body: status: 'error', message: 'You do not have permission to do this'