From 37a9ac7ae98e28f332cd14891ac382b76a4adc24 Mon Sep 17 00:00:00 2001 From: Martin Schoeler Date: Wed, 31 Aug 2016 10:23:52 -0300 Subject: [PATCH 1/6] Add more checks to methods --- packages/rocketchat-lib/server/methods/archiveRoom.coffee | 3 +++ packages/rocketchat-lib/server/methods/createChannel.coffee | 4 ++++ .../rocketchat-lib/server/methods/createPrivateGroup.coffee | 4 ++++ packages/rocketchat-lib/server/methods/deleteMessage.coffee | 3 +++ packages/rocketchat-lib/server/methods/joinRoom.coffee | 4 ++++ packages/rocketchat-lib/server/methods/leaveRoom.coffee | 3 +++ packages/rocketchat-lib/server/methods/unarchiveRoom.coffee | 3 +++ packages/rocketchat-lib/server/methods/updateMessage.coffee | 3 +++ 8 files changed, 27 insertions(+) diff --git a/packages/rocketchat-lib/server/methods/archiveRoom.coffee b/packages/rocketchat-lib/server/methods/archiveRoom.coffee index 9f7d75cfce1..7d33ff84770 100644 --- a/packages/rocketchat-lib/server/methods/archiveRoom.coffee +++ b/packages/rocketchat-lib/server/methods/archiveRoom.coffee @@ -1,5 +1,8 @@ Meteor.methods archiveRoom: (rid) -> + + check rid, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'archiveRoom' } diff --git a/packages/rocketchat-lib/server/methods/createChannel.coffee b/packages/rocketchat-lib/server/methods/createChannel.coffee index f6aad714e85..0bc29f1e01f 100644 --- a/packages/rocketchat-lib/server/methods/createChannel.coffee +++ b/packages/rocketchat-lib/server/methods/createChannel.coffee @@ -1,5 +1,9 @@ Meteor.methods createChannel: (name, members) -> + + check name, String + check members, [String] + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', "Invalid user", { method: 'createChannel' } diff --git a/packages/rocketchat-lib/server/methods/createPrivateGroup.coffee b/packages/rocketchat-lib/server/methods/createPrivateGroup.coffee index e90eec50333..87585ba39cd 100644 --- a/packages/rocketchat-lib/server/methods/createPrivateGroup.coffee +++ b/packages/rocketchat-lib/server/methods/createPrivateGroup.coffee @@ -1,5 +1,9 @@ Meteor.methods createPrivateGroup: (name, members) -> + + check name, String + check members, [String] + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', "Invalid user", { method: 'createPrivateGroup' } diff --git a/packages/rocketchat-lib/server/methods/deleteMessage.coffee b/packages/rocketchat-lib/server/methods/deleteMessage.coffee index fa7ddfe58e1..f19d2bb0c1f 100644 --- a/packages/rocketchat-lib/server/methods/deleteMessage.coffee +++ b/packages/rocketchat-lib/server/methods/deleteMessage.coffee @@ -1,5 +1,8 @@ Meteor.methods deleteMessage: (message) -> + + check message, Match.ObjectIncluding({_id:String}) + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'deleteMessage' } diff --git a/packages/rocketchat-lib/server/methods/joinRoom.coffee b/packages/rocketchat-lib/server/methods/joinRoom.coffee index 095e23dd22c..ae4f902fdf1 100644 --- a/packages/rocketchat-lib/server/methods/joinRoom.coffee +++ b/packages/rocketchat-lib/server/methods/joinRoom.coffee @@ -1,5 +1,9 @@ Meteor.methods joinRoom: (rid, code) -> + + check rid, String + check code, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'joinRoom' } diff --git a/packages/rocketchat-lib/server/methods/leaveRoom.coffee b/packages/rocketchat-lib/server/methods/leaveRoom.coffee index f00ab1de6a5..b3f0e29ca9c 100644 --- a/packages/rocketchat-lib/server/methods/leaveRoom.coffee +++ b/packages/rocketchat-lib/server/methods/leaveRoom.coffee @@ -1,5 +1,8 @@ Meteor.methods leaveRoom: (rid) -> + + check rid, String + unless Meteor.userId() throw new Meteor.Error('error-invalid-user', "Invalid user", { method: 'leaveRoom' }) diff --git a/packages/rocketchat-lib/server/methods/unarchiveRoom.coffee b/packages/rocketchat-lib/server/methods/unarchiveRoom.coffee index 699398bf06e..a5fd95a7221 100644 --- a/packages/rocketchat-lib/server/methods/unarchiveRoom.coffee +++ b/packages/rocketchat-lib/server/methods/unarchiveRoom.coffee @@ -1,5 +1,8 @@ Meteor.methods unarchiveRoom: (rid) -> + + check rid, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'unarchiveRoom' } diff --git a/packages/rocketchat-lib/server/methods/updateMessage.coffee b/packages/rocketchat-lib/server/methods/updateMessage.coffee index 1e9d27e6569..8db60860875 100644 --- a/packages/rocketchat-lib/server/methods/updateMessage.coffee +++ b/packages/rocketchat-lib/server/methods/updateMessage.coffee @@ -1,5 +1,8 @@ Meteor.methods updateMessage: (message) -> + + check message, Match.ObjectIncluding({_id:String}) + if not Meteor.userId() throw new Meteor.Error('error-invalid-user', "Invalid user", { method: 'updateMessage' }) From 6116da90993f873b0006086f3d29967c6578df5a Mon Sep 17 00:00:00 2001 From: Martin Schoeler Date: Thu, 1 Sep 2016 09:38:58 -0300 Subject: [PATCH 2/6] no message --- server/methods/addAllUserToRoom.js | 3 +++ server/methods/addRoomModerator.coffee | 5 +++-- server/methods/addRoomOwner.coffee | 5 +++-- server/methods/canAccessRoom.coffee | 4 ++++ server/methods/channelsList.coffee | 6 ++++++ server/methods/createDirectMessage.coffee | 3 +++ server/methods/deleteFileMessage.js | 3 +++ server/methods/deleteUser.coffee | 3 +++ server/methods/eraseRoom.coffee | 3 +++ server/methods/getAvatarSuggestion.coffee | 3 +++ server/methods/getRoomIdByNameOrId.coffee | 3 +++ server/methods/groupsList.js | 5 +++++ server/methods/hideRoom.coffee | 3 +++ server/methods/loadHistory.coffee | 6 ++++++ server/methods/loadLocale.coffee | 3 +++ server/methods/loadMissedMessages.coffee | 4 ++++ server/methods/loadNextMessages.coffee | 5 +++++ server/methods/loadSurroundingMessages.coffee | 4 ++++ server/methods/logoutCleanUp.coffee | 3 +++ server/methods/messageSearch.coffee | 5 +++++ server/methods/migrate.coffee | 3 +++ server/methods/muteUserInRoom.coffee | 4 +++- server/methods/openRoom.coffee | 3 +++ server/methods/readMessages.coffee | 3 +++ server/methods/registerUser.coffee | 3 +++ server/methods/removeRoomModerator.coffee | 5 +++-- server/methods/removeRoomOwner.coffee | 5 +++-- server/methods/removeUserFromRoom.coffee | 4 +++- server/methods/reportMessage.coffee | 4 ++++ server/methods/resetAvatar.coffee | 2 +- server/methods/saveUserPreferences.coffee | 3 +++ server/methods/saveUserProfile.coffee | 3 +++ server/methods/sendConfirmationEmail.coffee | 3 +++ server/methods/sendForgotPasswordEmail.coffee | 3 +++ server/methods/setAvatarFromService.coffee | 5 +++++ server/methods/setUserActiveStatus.coffee | 3 +++ server/methods/setUserPassword.coffee | 3 +++ server/methods/toogleFavorite.coffee | 4 ++++ server/methods/userSetUtcOffset.coffee | 3 +++ 39 files changed, 134 insertions(+), 11 deletions(-) diff --git a/server/methods/addAllUserToRoom.js b/server/methods/addAllUserToRoom.js index 8fbe66c1941..f3f524edb00 100644 --- a/server/methods/addAllUserToRoom.js +++ b/server/methods/addAllUserToRoom.js @@ -1,5 +1,8 @@ Meteor.methods({ addAllUserToRoom: function(rid) { + + check (rid, String); + if (RocketChat.authz.hasRole(this.userId, 'admin') === true) { var now, room, users; var userCount = RocketChat.models.Users.find().count(); diff --git a/server/methods/addRoomModerator.coffee b/server/methods/addRoomModerator.coffee index ca0f4fa2467..963a75e1b23 100644 --- a/server/methods/addRoomModerator.coffee +++ b/server/methods/addRoomModerator.coffee @@ -1,11 +1,12 @@ Meteor.methods addRoomModerator: (rid, userId) -> - unless Meteor.userId() - throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'addRoomModerator' } check rid, String check userId, String + unless Meteor.userId() + throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'addRoomModerator' } + unless RocketChat.authz.hasPermission Meteor.userId(), 'set-moderator', rid throw new Meteor.Error 'error-not-allowed', 'Not allowed', { method: 'addRoomModerator' } diff --git a/server/methods/addRoomOwner.coffee b/server/methods/addRoomOwner.coffee index aba506c5497..7d051bcbaff 100644 --- a/server/methods/addRoomOwner.coffee +++ b/server/methods/addRoomOwner.coffee @@ -1,11 +1,12 @@ Meteor.methods addRoomOwner: (rid, userId) -> - unless Meteor.userId() - throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'addRoomOwner' } check rid, String check userId, String + unless Meteor.userId() + throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'addRoomOwner' } + unless RocketChat.authz.hasPermission Meteor.userId(), 'set-owner', rid throw new Meteor.Error 'error-not-allowed', 'Not allowed', { method: 'addRoomOwner' } diff --git a/server/methods/canAccessRoom.coffee b/server/methods/canAccessRoom.coffee index a7c88ea4c81..cceb6ee4159 100644 --- a/server/methods/canAccessRoom.coffee +++ b/server/methods/canAccessRoom.coffee @@ -1,5 +1,9 @@ Meteor.methods canAccessRoom: (rid, userId) -> + + check rid, String + check userId, String + user = RocketChat.models.Users.findOneById userId, fields: username: 1 unless user?.username diff --git a/server/methods/channelsList.coffee b/server/methods/channelsList.coffee index 1d7f96466d7..39d66564245 100644 --- a/server/methods/channelsList.coffee +++ b/server/methods/channelsList.coffee @@ -1,5 +1,11 @@ Meteor.methods channelsList: (filter, channelType, limit, sort) -> + + check filter, String + check channelType, String + check limit, Match.Optional(Number) + check sort, Match.Optional(String) + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'channelsList' } diff --git a/server/methods/createDirectMessage.coffee b/server/methods/createDirectMessage.coffee index 14acbe48382..cf85ef5bbc6 100644 --- a/server/methods/createDirectMessage.coffee +++ b/server/methods/createDirectMessage.coffee @@ -1,5 +1,8 @@ Meteor.methods createDirectMessage: (username) -> + + check username, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', "Invalid user", { method: 'createDirectMessage' } diff --git a/server/methods/deleteFileMessage.js b/server/methods/deleteFileMessage.js index 0fd4125b675..2e55880fda7 100644 --- a/server/methods/deleteFileMessage.js +++ b/server/methods/deleteFileMessage.js @@ -1,5 +1,8 @@ Meteor.methods({ deleteFileMessage: function(fileID) { + + check fileID, String + return Meteor.call('deleteMessage', RocketChat.models.Messages.getMessageByFileId(fileID)); } }); diff --git a/server/methods/deleteUser.coffee b/server/methods/deleteUser.coffee index 7344baecf15..9edfa4bddae 100644 --- a/server/methods/deleteUser.coffee +++ b/server/methods/deleteUser.coffee @@ -1,5 +1,8 @@ Meteor.methods deleteUser: (userId) -> + + check userId, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', "Invalid user", { method: 'deleteUser' } diff --git a/server/methods/eraseRoom.coffee b/server/methods/eraseRoom.coffee index 7e06d9ec289..760863b1acc 100644 --- a/server/methods/eraseRoom.coffee +++ b/server/methods/eraseRoom.coffee @@ -1,5 +1,8 @@ Meteor.methods eraseRoom: (rid) -> + + check rid, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'eraseRoom' } diff --git a/server/methods/getAvatarSuggestion.coffee b/server/methods/getAvatarSuggestion.coffee index 070c20dcf97..b5dba33c3f5 100644 --- a/server/methods/getAvatarSuggestion.coffee +++ b/server/methods/getAvatarSuggestion.coffee @@ -1,4 +1,7 @@ @getAvatarSuggestionForUser = (user) -> + + check user, Object + avatars = [] if user.services.facebook?.id? and RocketChat.settings.get 'Accounts_OAuth_Facebook' diff --git a/server/methods/getRoomIdByNameOrId.coffee b/server/methods/getRoomIdByNameOrId.coffee index 4e1436f34f4..e372fb5de17 100644 --- a/server/methods/getRoomIdByNameOrId.coffee +++ b/server/methods/getRoomIdByNameOrId.coffee @@ -1,5 +1,8 @@ Meteor.methods getRoomIdByNameOrId: (rid) -> + + check rid, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'getRoomIdByNameOrId' } diff --git a/server/methods/groupsList.js b/server/methods/groupsList.js index 558aa6c7818..90f61705713 100644 --- a/server/methods/groupsList.js +++ b/server/methods/groupsList.js @@ -1,5 +1,10 @@ Meteor.methods({ groupsList: function(nameFilter, limit, sort) { + + check(nameFilter,String); + check(limit, Match.Optional(Number)); + check(sort, Match.Optional(String)); + if (!Meteor.userId()) { throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'groupsList' }); } diff --git a/server/methods/hideRoom.coffee b/server/methods/hideRoom.coffee index b368e4fc73d..c8556c58985 100644 --- a/server/methods/hideRoom.coffee +++ b/server/methods/hideRoom.coffee @@ -1,5 +1,8 @@ Meteor.methods hideRoom: (rid) -> + + check rid, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'hideRoom' } diff --git a/server/methods/loadHistory.coffee b/server/methods/loadHistory.coffee index bf92f320d39..1ae41ddda4e 100644 --- a/server/methods/loadHistory.coffee +++ b/server/methods/loadHistory.coffee @@ -1,5 +1,11 @@ Meteor.methods loadHistory: (rid, end, limit=20, ls) -> + + check rid, String + check end, Match.Optional(Number) + check limit, Number + check ls, Match.Optional(Number) + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'loadHistory' } diff --git a/server/methods/loadLocale.coffee b/server/methods/loadLocale.coffee index 17f4c2d8758..aead53662dd 100644 --- a/server/methods/loadLocale.coffee +++ b/server/methods/loadLocale.coffee @@ -1,5 +1,8 @@ Meteor.methods loadLocale: (locale) -> + + check locale, String + try return Assets.getText "moment-locales/#{locale.toLowerCase()}.js" catch e diff --git a/server/methods/loadMissedMessages.coffee b/server/methods/loadMissedMessages.coffee index 5b612b59462..fcfab542453 100644 --- a/server/methods/loadMissedMessages.coffee +++ b/server/methods/loadMissedMessages.coffee @@ -1,5 +1,9 @@ Meteor.methods loadMissedMessages: (rid, start) -> + + check rid, String + check start, Number + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'loadMissedMessages' } diff --git a/server/methods/loadNextMessages.coffee b/server/methods/loadNextMessages.coffee index db0f27102cd..3d23a4e1be5 100644 --- a/server/methods/loadNextMessages.coffee +++ b/server/methods/loadNextMessages.coffee @@ -1,5 +1,10 @@ Meteor.methods loadNextMessages: (rid, end, limit=20) -> + + check rid, String + check end, Match.Optional(Number) + check limt, Number + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'loadNextMessages' } diff --git a/server/methods/loadSurroundingMessages.coffee b/server/methods/loadSurroundingMessages.coffee index fcff5ee7a9b..d4bfe1617a0 100644 --- a/server/methods/loadSurroundingMessages.coffee +++ b/server/methods/loadSurroundingMessages.coffee @@ -1,5 +1,9 @@ Meteor.methods loadSurroundingMessages: (message, limit=50) -> + + check message, Object + check limit, Number + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'loadSurroundingMessages' } diff --git a/server/methods/logoutCleanUp.coffee b/server/methods/logoutCleanUp.coffee index 7d5615c3cb8..4b7a4ea2a0a 100644 --- a/server/methods/logoutCleanUp.coffee +++ b/server/methods/logoutCleanUp.coffee @@ -1,5 +1,8 @@ Meteor.methods logoutCleanUp: (user) -> + + check user, Object + Meteor.defer -> RocketChat.callbacks.run 'afterLogoutCleanUp', user diff --git a/server/methods/messageSearch.coffee b/server/methods/messageSearch.coffee index ec33c3477c0..3a2673e6a6b 100644 --- a/server/methods/messageSearch.coffee +++ b/server/methods/messageSearch.coffee @@ -1,5 +1,10 @@ Meteor.methods messageSearch: (text, rid, limit) -> + + check text, String + check rid, String + check limit, Number + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'messageSearch' } diff --git a/server/methods/migrate.coffee b/server/methods/migrate.coffee index 0107da63c12..f5321cc7f3b 100644 --- a/server/methods/migrate.coffee +++ b/server/methods/migrate.coffee @@ -1,5 +1,8 @@ Meteor.methods migrateTo: (version) -> + + check version, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'migrateTo' } diff --git a/server/methods/muteUserInRoom.coffee b/server/methods/muteUserInRoom.coffee index 35fe647329d..ea6e2cb8b6e 100644 --- a/server/methods/muteUserInRoom.coffee +++ b/server/methods/muteUserInRoom.coffee @@ -1,10 +1,12 @@ Meteor.methods muteUserInRoom: (data) -> + + check(data, Match.ObjectIncluding({ rid: String, username: String })) + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'muteUserInRoom' } fromId = Meteor.userId() - check(data, Match.ObjectIncluding({ rid: String, username: String })) unless RocketChat.authz.hasPermission(fromId, 'mute-user', data.rid) throw new Meteor.Error 'error-not-allowed', 'Not allowed', { method: 'muteUserInRoom' } diff --git a/server/methods/openRoom.coffee b/server/methods/openRoom.coffee index 8308c358f15..666560f15c3 100644 --- a/server/methods/openRoom.coffee +++ b/server/methods/openRoom.coffee @@ -1,5 +1,8 @@ Meteor.methods openRoom: (rid) -> + + check rid, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'openRoom' } diff --git a/server/methods/readMessages.coffee b/server/methods/readMessages.coffee index 782917f3a00..5786730b00f 100644 --- a/server/methods/readMessages.coffee +++ b/server/methods/readMessages.coffee @@ -1,5 +1,8 @@ Meteor.methods readMessages: (rid) -> + + check rid, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'readMessages' } diff --git a/server/methods/registerUser.coffee b/server/methods/registerUser.coffee index ff6d4304745..6cf6509e050 100644 --- a/server/methods/registerUser.coffee +++ b/server/methods/registerUser.coffee @@ -1,5 +1,8 @@ Meteor.methods registerUser: (formData) -> + + check formData, Object + if RocketChat.settings.get('Accounts_RegistrationForm') is 'Disabled' throw new Meteor.Error 'error-user-registration-disabled', 'User registration is disabled', { method: 'registerUser' } diff --git a/server/methods/removeRoomModerator.coffee b/server/methods/removeRoomModerator.coffee index 8ed1a1ac603..c46b57aca46 100644 --- a/server/methods/removeRoomModerator.coffee +++ b/server/methods/removeRoomModerator.coffee @@ -1,11 +1,12 @@ Meteor.methods removeRoomModerator: (rid, userId) -> - unless Meteor.userId() - throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'removeRoomModerator' } check rid, String check userId, String + unless Meteor.userId() + throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'removeRoomModerator' } + unless RocketChat.authz.hasPermission Meteor.userId(), 'set-moderator', rid throw new Meteor.Error 'error-not-allowed', 'Not allowed', { method: 'removeRoomModerator' } diff --git a/server/methods/removeRoomOwner.coffee b/server/methods/removeRoomOwner.coffee index 063b9f43a5d..1a0c0901110 100644 --- a/server/methods/removeRoomOwner.coffee +++ b/server/methods/removeRoomOwner.coffee @@ -1,11 +1,12 @@ Meteor.methods removeRoomOwner: (rid, userId) -> - unless Meteor.userId() - throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'removeRoomOwner' } check rid, String check userId, String + unless Meteor.userId() + throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'removeRoomOwner' } + unless RocketChat.authz.hasPermission Meteor.userId(), 'set-owner', rid throw new Meteor.Error 'error-not-allowed', 'Not allowed', { method: 'removeRoomOwner' } diff --git a/server/methods/removeUserFromRoom.coffee b/server/methods/removeUserFromRoom.coffee index 318b7020507..0b072b30b99 100644 --- a/server/methods/removeUserFromRoom.coffee +++ b/server/methods/removeUserFromRoom.coffee @@ -1,10 +1,12 @@ Meteor.methods removeUserFromRoom: (data) -> + + check(data, Match.ObjectIncluding({ rid: String, username: String })) + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'removeUserFromRoom' } fromId = Meteor.userId() - check(data, Match.ObjectIncluding({ rid: String, username: String })) unless RocketChat.authz.hasPermission(fromId, 'remove-user', data.rid) throw new Meteor.Error 'error-not-allowed', 'Not allowed', { method: 'removeUserFromRoom' } diff --git a/server/methods/reportMessage.coffee b/server/methods/reportMessage.coffee index e73aed5fd10..96d4731f642 100644 --- a/server/methods/reportMessage.coffee +++ b/server/methods/reportMessage.coffee @@ -1,5 +1,9 @@ Meteor.methods reportMessage: (message, description) -> + + check message, Object + check description, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'reportMessage' } diff --git a/server/methods/resetAvatar.coffee b/server/methods/resetAvatar.coffee index 872d8a46fa4..2819f10f92f 100644 --- a/server/methods/resetAvatar.coffee +++ b/server/methods/resetAvatar.coffee @@ -1,5 +1,5 @@ Meteor.methods - resetAvatar: (image, service) -> + resetAvatar:-> unless Meteor.userId() throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'resetAvatar' }); diff --git a/server/methods/saveUserPreferences.coffee b/server/methods/saveUserPreferences.coffee index 05afec732df..c01cd297886 100644 --- a/server/methods/saveUserPreferences.coffee +++ b/server/methods/saveUserPreferences.coffee @@ -1,5 +1,8 @@ Meteor.methods saveUserPreferences: (settings) -> + + check settings, Object + if Meteor.userId() preferences = {} diff --git a/server/methods/saveUserProfile.coffee b/server/methods/saveUserProfile.coffee index cbea48fcdd8..428c8c1a0c9 100644 --- a/server/methods/saveUserProfile.coffee +++ b/server/methods/saveUserProfile.coffee @@ -1,5 +1,8 @@ Meteor.methods saveUserProfile: (settings) -> + + check settings, Object + unless RocketChat.settings.get("Accounts_AllowUserProfileChange") throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'saveUserProfile' }) diff --git a/server/methods/sendConfirmationEmail.coffee b/server/methods/sendConfirmationEmail.coffee index cc73b867dfe..b3007794e49 100644 --- a/server/methods/sendConfirmationEmail.coffee +++ b/server/methods/sendConfirmationEmail.coffee @@ -1,5 +1,8 @@ Meteor.methods sendConfirmationEmail: (email) -> + + check email, String + user = RocketChat.models.Users.findOneByEmailAddress s.trim(email) if user? diff --git a/server/methods/sendForgotPasswordEmail.coffee b/server/methods/sendForgotPasswordEmail.coffee index 32adedb8fba..5a75a659b0d 100644 --- a/server/methods/sendForgotPasswordEmail.coffee +++ b/server/methods/sendForgotPasswordEmail.coffee @@ -1,5 +1,8 @@ Meteor.methods sendForgotPasswordEmail: (email) -> + + check email, String + user = RocketChat.models.Users.findOneByEmailAddress s.trim(email.toLowerCase()) if user? diff --git a/server/methods/setAvatarFromService.coffee b/server/methods/setAvatarFromService.coffee index dedcddea7ad..d40986f1cbe 100644 --- a/server/methods/setAvatarFromService.coffee +++ b/server/methods/setAvatarFromService.coffee @@ -1,5 +1,10 @@ Meteor.methods setAvatarFromService: (dataURI, contentType, service) -> + + check dataURI, String + check contentType, String + check service, String + unless Meteor.userId() throw new Meteor.Error('error-invalid-user', "Invalid user", { method: 'setAvatarFromService' }) diff --git a/server/methods/setUserActiveStatus.coffee b/server/methods/setUserActiveStatus.coffee index 25bac336438..423f0a41629 100644 --- a/server/methods/setUserActiveStatus.coffee +++ b/server/methods/setUserActiveStatus.coffee @@ -1,5 +1,8 @@ Meteor.methods setUserActiveStatus: (userId, active) -> + + check userId, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'setUserActiveStatus' } diff --git a/server/methods/setUserPassword.coffee b/server/methods/setUserPassword.coffee index fbfff2712f3..d822326f81c 100644 --- a/server/methods/setUserPassword.coffee +++ b/server/methods/setUserPassword.coffee @@ -1,5 +1,8 @@ Meteor.methods setUserPassword: (password) -> + + check password, String + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'setUserPassword' } diff --git a/server/methods/toogleFavorite.coffee b/server/methods/toogleFavorite.coffee index 67929505dcb..97e5dab574f 100644 --- a/server/methods/toogleFavorite.coffee +++ b/server/methods/toogleFavorite.coffee @@ -1,5 +1,9 @@ Meteor.methods toggleFavorite: (rid, f) -> + + check rid, String + check f, Match.Optional(Boolean) + if not Meteor.userId() throw new Meteor.Error('error-invalid-user', "Invalid user", { method: 'toggleFavorite' }) diff --git a/server/methods/userSetUtcOffset.coffee b/server/methods/userSetUtcOffset.coffee index fb8a7dd662f..a2a1ea82e62 100644 --- a/server/methods/userSetUtcOffset.coffee +++ b/server/methods/userSetUtcOffset.coffee @@ -1,5 +1,8 @@ Meteor.methods userSetUtcOffset: (utcOffset) -> + + check utcOffset, Number + if not @userId? return From f6b1747ac08d14653cdee9eee6ee737d186eb1d3 Mon Sep 17 00:00:00 2001 From: Martin Schoeler Date: Fri, 2 Sep 2016 10:11:42 -0300 Subject: [PATCH 3/6] no message --- packages/rocketchat-lib/server/methods/createChannel.coffee | 2 +- .../rocketchat-lib/server/methods/createPrivateGroup.coffee | 2 +- server/methods/groupsList.js | 2 +- server/methods/messageSearch.coffee | 2 +- server/methods/setAvatarFromService.coffee | 4 ++-- server/methods/setUserActiveStatus.coffee | 1 + 6 files changed, 7 insertions(+), 6 deletions(-) diff --git a/packages/rocketchat-lib/server/methods/createChannel.coffee b/packages/rocketchat-lib/server/methods/createChannel.coffee index 0bc29f1e01f..2e1f6b1d4b1 100644 --- a/packages/rocketchat-lib/server/methods/createChannel.coffee +++ b/packages/rocketchat-lib/server/methods/createChannel.coffee @@ -2,7 +2,7 @@ Meteor.methods createChannel: (name, members) -> check name, String - check members, [String] + check members, Match.Optional([String]) if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', "Invalid user", { method: 'createChannel' } diff --git a/packages/rocketchat-lib/server/methods/createPrivateGroup.coffee b/packages/rocketchat-lib/server/methods/createPrivateGroup.coffee index 87585ba39cd..7a83dc0916c 100644 --- a/packages/rocketchat-lib/server/methods/createPrivateGroup.coffee +++ b/packages/rocketchat-lib/server/methods/createPrivateGroup.coffee @@ -2,7 +2,7 @@ Meteor.methods createPrivateGroup: (name, members) -> check name, String - check members, [String] + check members, Match.Optional([String]) if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', "Invalid user", { method: 'createPrivateGroup' } diff --git a/server/methods/groupsList.js b/server/methods/groupsList.js index 90f61705713..37a5fe771f6 100644 --- a/server/methods/groupsList.js +++ b/server/methods/groupsList.js @@ -1,7 +1,7 @@ Meteor.methods({ groupsList: function(nameFilter, limit, sort) { - check(nameFilter,String); + check(nameFilter, String); check(limit, Match.Optional(Number)); check(sort, Match.Optional(String)); diff --git a/server/methods/messageSearch.coffee b/server/methods/messageSearch.coffee index 3a2673e6a6b..db845930ec3 100644 --- a/server/methods/messageSearch.coffee +++ b/server/methods/messageSearch.coffee @@ -3,7 +3,7 @@ Meteor.methods check text, String check rid, String - check limit, Number + check limit, Match.Optional(Number) if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'messageSearch' } diff --git a/server/methods/setAvatarFromService.coffee b/server/methods/setAvatarFromService.coffee index d40986f1cbe..b0026984eae 100644 --- a/server/methods/setAvatarFromService.coffee +++ b/server/methods/setAvatarFromService.coffee @@ -2,8 +2,8 @@ Meteor.methods setAvatarFromService: (dataURI, contentType, service) -> check dataURI, String - check contentType, String - check service, String + check contentType, Match.Optional(String) + check service, Match.Optional(String) unless Meteor.userId() throw new Meteor.Error('error-invalid-user', "Invalid user", { method: 'setAvatarFromService' }) diff --git a/server/methods/setUserActiveStatus.coffee b/server/methods/setUserActiveStatus.coffee index 423f0a41629..f32c5c1a617 100644 --- a/server/methods/setUserActiveStatus.coffee +++ b/server/methods/setUserActiveStatus.coffee @@ -2,6 +2,7 @@ Meteor.methods setUserActiveStatus: (userId, active) -> check userId, String + check active, Boolean if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'setUserActiveStatus' } From ab283940a69b6a25dd33f22e46ee77f5527f7e42 Mon Sep 17 00:00:00 2001 From: Martin Schoeler Date: Fri, 2 Sep 2016 11:03:57 -0300 Subject: [PATCH 4/6] Ignore Match.Optional lint exceptions --- .eslintrc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.eslintrc b/.eslintrc index 8d1f9962c50..f74ac69c507 100644 --- a/.eslintrc +++ b/.eslintrc @@ -63,7 +63,9 @@ "block-scoped-var": 2, "curly": [2, "all"], "eqeqeq": [2, "allow-null"], - "new-cap": 2, + "new-cap": [2, { + "capIsNewExceptions": ["Match.Optional"] + }], "use-isnan": 2, "valid-typeof": 2, "linebreak-style": [2, "unix"], From b11b045734d5509d22b682c4fd763bf65dc07a38 Mon Sep 17 00:00:00 2001 From: Martin Schoeler Date: Fri, 2 Sep 2016 11:08:43 -0300 Subject: [PATCH 5/6] Fixed wrong syntax in deleteFileMessage --- server/methods/deleteFileMessage.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/server/methods/deleteFileMessage.js b/server/methods/deleteFileMessage.js index 2e55880fda7..a664e3e8169 100644 --- a/server/methods/deleteFileMessage.js +++ b/server/methods/deleteFileMessage.js @@ -1,7 +1,6 @@ Meteor.methods({ deleteFileMessage: function(fileID) { - - check fileID, String + check(fileID, String); return Meteor.call('deleteMessage', RocketChat.models.Messages.getMessageByFileId(fileID)); } From 3095d2372dc97521f6fb39726c87855abafc12f3 Mon Sep 17 00:00:00 2001 From: Martin Schoeler Date: Fri, 2 Sep 2016 11:34:39 -0300 Subject: [PATCH 6/6] fixed indentation --- server/methods/openRoom.coffee | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/methods/openRoom.coffee b/server/methods/openRoom.coffee index 666560f15c3..907501598e4 100644 --- a/server/methods/openRoom.coffee +++ b/server/methods/openRoom.coffee @@ -1,7 +1,7 @@ Meteor.methods openRoom: (rid) -> - check rid, String + check rid, String if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'openRoom' }