Fix permission issues with Meteor methods for Accounts plugin

imports/plugins/core/accounts/server/methods/addressBookRemove.js

@@ -16,16 +16,16 @@ import ReactionError from "@reactioncommerce/reaction-error";
 export default function addressBookRemove(addressId, accountUserId) {
   check(addressId, String);
   check(accountUserId, Match.Optional(String));
-
-  if (typeof accountUserId === "string") {
-    if (Reaction.getUserId() !== accountUserId && !Reaction.hasPermission("reaction-accounts")) {
-      throw new ReactionError("access-denied", "Access denied");
-    }
-  }
   this.unblock();
 
-  const userId = accountUserId || Reaction.getUserId();
+  const authUserId = Reaction.getUserId();
+  const userId = accountUserId || authUserId;
   const account = Accounts.findOne({ userId });
+  if (!account) throw new ReactionError("not-found", "Not Found");
+
+  if (authUserId !== userId && !Reaction.hasPermission("reaction-accounts", authUserId, account.shopId)) {
+    throw new ReactionError("access-denied", "Access denied");
+  }
 
   const updatedAccountResult = Accounts.update({
     userId,

imports/plugins/core/accounts/server/methods/addressBookUpdate.js

@@ -21,19 +21,16 @@ export default function addressBookUpdate(address, accountUserId, type) {
   Schemas.Address.validate(address);
   check(accountUserId, Match.Maybe(String));
   check(type, Match.Maybe(String));
-
-  // security check for admin access
-  if (typeof accountUserId === "string") {
-    if (Reaction.getUserId() !== accountUserId && !Reaction.hasPermission("reaction-accounts")) {
-      throw new ReactionError("access-denied", "Access denied");
-    }
-  }
   this.unblock();
 
-  // If no userId is provided, use the current user
+  const authUserId = Reaction.getUserId();
   const userId = accountUserId || Reaction.getUserId();
-  // Find old state of isShippingDefault & isBillingDefault to compare and reflect in cart
   const account = Accounts.findOne({ userId });
+  if (authUserId !== userId && !Reaction.hasPermission("reaction-accounts", authUserId, account.shopId)) {
+    throw new ReactionError("access-denied", "Access denied");
+  }
+
+  // Find old state of isShippingDefault & isBillingDefault to compare and reflect in cart
   const oldAddress = (account.profile.addressBook || []).find((addr) => addr._id === address._id);
 
   if (!oldAddress) throw new ReactionError("not-found", `No existing address found with ID ${address._id}`);

imports/plugins/core/accounts/server/methods/index.js

@@ -12,7 +12,6 @@ import markAddressValidationBypassed from "./markAddressValidationBypassed";
 import removeEmailAddress from "./removeEmailAddress";
 import removeUserPermissions from "./removeUserPermissions";
 import sendResetPasswordEmail from "./sendResetPasswordEmail";
-import sendWelcomeEmail from "./sendWelcomeEmail";
 import setProfileCurrency from "./setProfileCurrency";
 import setUserPermissions from "./setUserPermissions";
 import updateEmailAddress from "./updateEmailAddress";
@@ -47,7 +46,6 @@ export default {
   "accounts/removeEmailAddress": removeEmailAddress,
   "accounts/removeUserPermissions": removeUserPermissions,
   "accounts/sendResetPasswordEmail": sendResetPasswordEmail,
-  "accounts/sendWelcomeEmail": sendWelcomeEmail,
   "accounts/setProfileCurrency": setProfileCurrency,
   "accounts/setUserPermissions": setUserPermissions,
   "accounts/updateEmailAddress": updateEmailAddress,

imports/plugins/core/accounts/server/methods/sendWelcomeEmail.js → imports/plugins/core/accounts/server/util/sendWelcomeEmail.js

@@ -8,9 +8,8 @@ import { Accounts, Shops } from "/lib/collections";
 import Reaction from "/imports/plugins/core/core/server/Reaction";
 
 /**
- * @name accounts/sendWelcomeEmail
+ * @name sendWelcomeEmail
  * @summary Send an email to consumers on sign up
- * @memberof Accounts/Methods
  * @method
  * @param {String} shopId - shopId of new User
  * @param {String} userId - new userId to welcome
@@ -22,15 +21,13 @@ export default function sendWelcomeEmail(shopId, userId, token) {
   check(userId, String);
   check(token, String);
 
-  this.unblock();
-
-  const account = Accounts.findOne(userId);
+  const account = Accounts.findOne({ userId });
   // anonymous users aren't welcome here
   if (!account.emails || !account.emails.length > 0) {
     return false;
   }
 
-  const shop = Shops.findOne(shopId);
+  const shop = Shops.findOne({ _id: shopId });
 
   // Get shop logo, if available. If not, use default logo from file-system
   const emailLogo = Reaction.Email.getShopLogo(shop);

imports/plugins/core/core/server/startup/accounts.js

@@ -7,6 +7,7 @@ import ReactionError from "@reactioncommerce/reaction-error";
 import { Accounts } from "meteor/accounts-base";
 import * as Collections from "/lib/collections";
 import Reaction from "/imports/plugins/core/core/server/Reaction";
+import sendWelcomeEmail from "/imports/plugins/core/accounts/server/util/sendWelcomeEmail";
 
 /**
  * @summary Account server startup code
@@ -167,7 +168,7 @@ export default function startup() {
       if (userDetails.emails && userDetails.emails.length > 0
         && (!(Meteor.users.find().count() === 0) && !userDetails.profile.invited)) {
         const token = Random.secret();
-        Meteor.call("accounts/sendWelcomeEmail", shopId, user._id, token);
+        sendWelcomeEmail(shopId, user._id, token);
         const defaultEmail = userDetails.emails.find((email) => email.provides === "default");
         const when = new Date();
         const tokenObj = {