Skip to content

Commit

Permalink
[FIX] Pin and unpin message were not checking permissions (#12739)
Browse files Browse the repository at this point in the history
* Fix pin and unpin message without permissions

* Update 05-chat.js

* Fix lint
  • Loading branch information
MarcosSpessatto authored and rodrigok committed Dec 21, 2018
1 parent ceddced commit 25c3a62
Show file tree
Hide file tree
Showing 4 changed files with 128 additions and 24 deletions.
8 changes: 8 additions & 0 deletions packages/rocketchat-message-pin/server/pinMessage.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ Meteor.methods({
});
}

if (!RocketChat.authz.hasPermission(Meteor.userId(), 'pin-message')) {
throw new Meteor.Error('not-authorized', 'Not Authorized', { method: 'pinMessage' });
}

const subscription = RocketChat.models.Subscriptions.findOneByRoomIdAndUserId(message.rid, Meteor.userId(), { fields: { _id: 1 } });
if (!subscription) {
return false;
Expand Down Expand Up @@ -115,6 +119,10 @@ Meteor.methods({
});
}

if (!RocketChat.authz.hasPermission(Meteor.userId(), 'pin-message')) {
throw new Meteor.Error('not-authorized', 'Not Authorized', { method: 'pinMessage' });
}

const subscription = RocketChat.models.Subscriptions.findOneByRoomIdAndUserId(message.rid, Meteor.userId(), { fields: { _id: 1 } });
if (!subscription) {
return false;
Expand Down
9 changes: 9 additions & 0 deletions tests/data/permissions.helper.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,12 @@ export const updatePermission = (permission, roles) => new Promise((resolve) =>
.expect(200)
.end(resolve);
});

export const updateSetting = (setting, value) => new Promise((resolve) => {
request.post(`/api/v1/settings/${ setting }`)
.set(credentials)
.send({ value })
.expect('Content-Type', 'application/json')
.expect(200)
.end(resolve);
});
25 changes: 1 addition & 24 deletions tests/end-to-end/api/01-users.js
Original file line number Diff line number Diff line change
Expand Up @@ -12,30 +12,7 @@ import {
import { adminEmail, preferences, password, adminUsername } from '../../data/user.js';
import { imgURL } from '../../data/interactions.js';
import { customFieldText, clearCustomFields, setCustomFields } from '../../data/custom-fields.js';

const updatePermission = (permission, roles) => new Promise((resolve) => {
request.post(api('permissions.update'))
.set(credentials)
.send({ permissions: [{ _id: permission, roles }] })
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
})
.end(resolve);
});

const updateSetting = (setting, value) => new Promise((resolve) => {
request.post(`/api/v1/settings/${ setting }`)
.set(credentials)
.send({ value })
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
})
.end(resolve);
});
import { updatePermission, updateSetting } from '../../data/permissions.helper';

describe('[Users]', function() {
this.retries(0);
Expand Down
110 changes: 110 additions & 0 deletions tests/end-to-end/api/05-chat.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import {
import { password } from '../../data/user';
import { createRoom } from '../../data/rooms.helper.js';
import { sendSimpleMessage, deleteMessage } from '../../data/chat.helper.js';
import { updatePermission, updateSetting } from '../../data/permissions.helper';

describe('[Chat]', function() {
this.retries(0);
Expand Down Expand Up @@ -789,4 +790,113 @@ describe('[Chat]', function() {
});
});

describe('[/chat.pinMessage]', () => {
it('should return an error when pinMessage is not allowed in this server', (done) => {
updateSetting('Message_AllowPinning', false).then(() => {
request.post(api('chat.pinMessage'))
.set(credentials)
.send({
messageId: message._id,
})
.expect('Content-Type', 'application/json')
.expect(400)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error');
})
.end(done);
});
});

it('should return an error when pinMessage is allowed in server but user dont have permission', (done) => {
updateSetting('Message_AllowPinning', true).then(() => {
updatePermission('pin-message', []).then(() => {
request.post(api('chat.pinMessage'))
.set(credentials)
.send({
messageId: message._id,
})
.expect('Content-Type', 'application/json')
.expect(400)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error');
})
.end(done);
});
});
});

it('should pin Message successfully', (done) => {
updatePermission('pin-message', ['admin']).then(() => {
request.post(api('chat.pinMessage'))
.set(credentials)
.send({
messageId: message._id,
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
expect(res.body).to.not.have.property('error');
})
.end(done);
});
});
});

describe('[/chat.unPinMessage]', () => {
it('should return an error when pinMessage is not allowed in this server', (done) => {
updateSetting('Message_AllowPinning', false).then(() => {
request.post(api('chat.unPinMessage'))
.set(credentials)
.send({
messageId: message._id,
})
.expect('Content-Type', 'application/json')
.expect(400)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error');
})
.end(done);
});
});

it('should return an error when pinMessage is allowed in server but users dont have permission', (done) => {
updateSetting('Message_AllowPinning', true).then(() => {
updatePermission('pin-message', []).then(() => {
request.post(api('chat.unPinMessage'))
.set(credentials)
.send({
messageId: message._id,
})
.expect('Content-Type', 'application/json')
.expect(400)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error');
})
.end(done);
});
});
});

it('should unpin Message successfully', (done) => {
updatePermission('pin-message', ['admin']).then(() => {
request.post(api('chat.unPinMessage'))
.set(credentials)
.send({
messageId: message._id,
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
expect(res.body).to.not.have.property('error');
})
.end(done);
});
});
});
});

0 comments on commit 25c3a62

Please sign in to comment.