Add permissions for adding to each room type

1a1ab378 · timkinnane · 40119331 · 1a1ab378 · 1a1ab378 · 1a1ab378
Commit 1a1ab378 authored 8 years ago by timkinnane
--- a/packages/rocketchat-authorization/server/startup.coffee
+++ b/packages/rocketchat-authorization/server/startup.coffee
@@ -7,8 +7,9 @@ Meteor.startup ->
 	permissions = [
 		{ _id: 'access-permissions',            roles : ['admin'] }
 		{ _id: 'add-oauth-service',             roles : ['admin'] }
-		{ _id: 'add-user-to-own-room',          roles : ['admin', 'owner', 'moderator'] }
-		{ _id: 'add-user-to-any-room',          roles : ['admin'] }
+		{ _id: 'add-user-to-joined-room',       roles : ['admin', 'owner', 'moderator'] }
+		{ _id: 'add-user-to-any-c-room',        roles : ['admin'] }
+		{ _id: 'add-user-to-any-p-room',				roles : [] }
 		{ _id: 'archive-room',                  roles : ['admin', 'owner'] }
 		{ _id: 'assign-admin-role',             roles : ['admin'] }
 		{ _id: 'ban-user',                      roles : ['admin', 'owner', 'moderator'] }

--- a/packages/rocketchat-lib/server/methods/addUserToRoom.coffee
+++ b/packages/rocketchat-lib/server/methods/addUserToRoom.coffee
@@ -13,28 +13,26 @@ Meteor.methods
 		userId = Meteor.userId()
 		user = Meteor.user()
 		userInRoom = room.usernames?.indexOf(user.username) >= 0
-		canAddToOwnRoom = RocketChat.authz.hasPermission userId, 'add-user-to-own-room', room._id
-		canAddToAnyRoom = RocketChat.authz.hasPermission userId, 'add-user-to-any-room'
 		newUser = RocketChat.models.Users.findOneByUsername data.username

+		if not newUser?._id?
+			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'addUserToRoom' }
+
+		# Can't add to direct room ever
 		if room.t is 'd'
 			throw new Meteor.Error 'error-cant-invite-for-direct-room', 'Can\'t invite user to direct rooms', { method: 'addUserToRoom' }

-		# Can't add to private room if you're not a member
-		if room.t is 'p' and not userInRoom
+		# Can add to any room you're in, with permission - otherwise need specific permission
+		if userInRoom and RocketChat.authz.hasPermission userId, 'add-user-to-joined-room', room._id
+			canAddUser = true
+		else if room.t is 'c' and RocketChat.authz.hasPermission userId, 'add-user-to-any-c-room'
+			canAddUser = true
+		else if room.t is 'p' and RocketChat.authz.hasPermission userId, 'add-user-to-any-p-room'
+			canAddUser = true
+
+		if canAddUser
+			RocketChat.addUserToRoom(data.rid, newUser, user);
+		else
 			throw new Meteor.Error 'error-not-allowed', 'Not allowed', { method: 'addUserToRoom' }

-		# Can't add to channels when you're not a member (without higher permissions)
-		if room.t is 'c' and not userInRoom and not canAddToAnyRoom
-			throw new Meteor.Error 'error-not-allowed', 'Not allowed', { method: 'addUserToRoom' }
-
-		# Can't add to channels when you are a member without permission
-		if room.t is 'c' and userInRoom and not canAddToOwnRoom
-			throw new Meteor.Error 'error-not-allowed', 'Not allowed', { method: 'addUserToRoom' }
-
-		if not newUser?._id?
-			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'addUserToRoom' }
-
-		RocketChat.addUserToRoom(data.rid, newUser, user);
-
 		return true
--- a/packages/rocketchat-ui-flextab/flex-tab/tabs/membersList.coffee
+++ b/packages/rocketchat-ui-flextab/flex-tab/tabs/membersList.coffee
@@ -62,7 +62,10 @@ Template.membersList.helpers
 	canAddUser: ->
 		roomData = Session.get('roomData' + this._id)
 		return '' unless roomData
-		return roomData.t in ['p', 'c'] and RocketChat.authz.hasAtLeastOnePermission(['add-user-to-any-room', 'add-user-to-own-room'], this._id)
+		return switch roomData.t
+			when 'p' then RocketChat.authz.hasAtLeastOnePermission ['add-user-to-any-p-room', 'add-user-to-own-room'], this._id
+			when 'c' then RocketChat.authz.hasAtLeastOnePermission ['add-user-to-any-c-room', 'add-user-to-own-room'], this._id
+			else false

 	autocompleteSettingsAddUser: ->
 		return {

--- a/server/startup/migrations/v084.js
+++ b/server/startup/migrations/v084.js
@@ -6,7 +6,7 @@ RocketChat.Migrations.add({
 			// Update permission name, copy values from old name
 			var oldPermission = RocketChat.models.Permissions.findOne('add-user-to-room');
 			if (oldPermission && oldPermission.roles.length) {
-				RocketChat.models.Permissions.upsert({ _id: 'add-user-to-own-room' }, { $set: { roles: oldPermission.roles } });
+				RocketChat.models.Permissions.upsert({ _id: 'add-user-to-joined-room' }, { $set: { roles: oldPermission.roles } });
 				RocketChat.models.Permissions.remove({ _id: 'add-user-to-room' });
 			}

@@ -16,10 +16,10 @@ RocketChat.Migrations.add({
 		if (RocketChat && RocketChat.models && RocketChat.models.Permissions) {

 			// Revert permission name, copy values from updated name
-			var newPermission = RocketChat.models.Permissions.findOne('add-user-to-own-room');
+			var newPermission = RocketChat.models.Permissions.findOne('add-user-to-joined-room');
 			if (newPermission && newPermission.roles.length) {
 				RocketChat.models.Permissions.upsert({ _id: 'add-user-to-room' }, { $set: { roles: newPermission.roles } });
-				RocketChat.models.Permissions.remove({ _id: 'add-user-to-own-room' });
+				RocketChat.models.Permissions.remove({ _id: 'add-user-to-joined-room' });
 			}

 		}