Merge pull request #1387 from RocketChat/roles_rest_api

Add permission checks to bulk rest api methods
10 years ago · cf329eb59c
parent 91f224bf69 55efdea054
commit cf329eb59c
4 changed files with 51 additions and 28 deletions
--- a/packages/rocketchat-authorization/server/startup.coffee
+++ b/packages/rocketchat-authorization/server/startup.coffee
@ -72,6 +72,11 @@ Meteor.startup ->
 		{ _id: 'delete-d',
 		roles : ['admin', 'site-moderator']}

+		{ _id: 'bulk-register-user',
+		roles : ['admin']}
+
+		{ _id: 'bulk-create-c',
+		roles : ['admin']}
 	]

 	#alanning:roles
--- a/server/methods/createChannel.coffee
+++ b/server/methods/createChannel.coffee
@ -14,7 +14,7 @@ Meteor.methods
 		now = new Date()
 		user = Meteor.user()

-		members.push user.username
+		members.push user.username if user.username not in members

 		# avoid duplicate names
 		if RocketChat.models.Rooms.findOneByName name
--- a/server/methods/registerUser.coffee
+++ b/server/methods/registerUser.coffee
@ -10,3 +10,5 @@ Meteor.methods

 		if userData.email
 			Accounts.sendVerificationEmail(userId, userData.email);
+
+		return userId
--- a/server/restapi/restapi.coffee
+++ b/server/restapi/restapi.coffee
@ -99,15 +99,18 @@ NOTE:   remove room is NOT recommended; use Meteor.reset() to clear db and re-se
 ###
 Api.addRoute 'bulk/register', authRequired: true,
 	post:
-		roleRequired: ['testagent', 'adminautomation']
+		# restivus 0.8.4 does not support alanning:roles using groups
+		#roleRequired: ['testagent', 'adminautomation']
 		action: ->
+			if RocketChat.authz.hasPermission(@userId, 'bulk-register-user') 
 				try
+
 					Api.testapiValidateUsers  @bodyParams.users
 					this.response.setTimeout (500 * @bodyParams.users.length)
 					ids = []
 					endCount = @bodyParams.users.length - 1
 					for incoming, i in @bodyParams.users
-					ids[i] = Meteor.call 'registerUser', incoming
+					 	ids[i] = {uid: Meteor.call 'registerUser', incoming}
 					 	Meteor.runAsUser ids[i].uid, () =>
 					 		Meteor.call 'setUsername', incoming.name
 					 		Meteor.call 'joinDefaultChannels'
@ -116,6 +119,11 @@ Api.addRoute 'bulk/register', authRequired: true,
 				catch e
 					statusCode: 400    # bad request or other errors
 					body: status: 'fail', message: e.name + ' :: ' + e.message
+			else
+				console.log '[restapi] bulk/register -> '.red, "User does not have 'bulk-register-user' permission"
+				statusCode: 403    
+				body: status: 'error', message: 'You do not have permission to do this'
+



@ -136,7 +144,7 @@ Api.testapiValidateRooms =  (rooms) ->
@apiName createRoom
@apiGroup TestAndAdminAutomation
@apiVersion 0.0.1
-@apiParam {json} rooms An array of rooms in the body of the POST.
+@apiParam {json} rooms An array of rooms in the body of the POST. 'name' is room name, 'members' is array of usernames 
@apiParamExample {json} POST Request Body example:
  {
    'rooms':[ {'name': 'room1',
@ -163,8 +171,12 @@ NOTE:   remove room is NOT recommended; use Meteor.reset() to clear db and re-se
 ###
 Api.addRoute 'bulk/createRoom', authRequired: true,
 	post:
-		roleRequired: ['testagent', 'adminautomation']
+		# restivus 0.8.4 does not support alanning:roles using groups
+		#roleRequired: ['testagent', 'adminautomation']
 		action: ->
+			# user must also have create-c permission because 
+			# createChannel method requires it
+			if RocketChat.authz.hasPermission(@userId, 'bulk-create-c') 
 				try
 					this.response.setTimeout (1000 * @bodyParams.rooms.length)
 					Api.testapiValidateRooms @bodyParams.rooms
@ -175,6 +187,10 @@ Api.addRoute 'bulk/createRoom', authRequired: true,
 				catch e
 					statusCode: 400    # bad request or other errors
 					body: status: 'fail', message: e.name + ' :: ' + e.message
+			else
+				console.log '[restapi] bulk/createRoom -> '.red, "User does not have 'bulk-create-c' permission"
+				statusCode: 403    
+				body: status: 'error', message: 'You do not have permission to do this'