Add permission check to the import methods and not just the UI (#6400)

7d2e696b · Bradley Hilton · Rodrigo Nascimento · 20695fac · 7d2e696b · 7d2e696b
Commit 7d2e696b authored 8 years ago by Bradley Hilton Committed by Rodrigo Nascimento 8 years ago
--- a/packages/rocketchat-importer/server/methods/getImportProgress.coffee
+++ b/packages/rocketchat-importer/server/methods/getImportProgress.coffee
@@ -3,6 +3,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'getImportProgress' }

+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?
 			return Importer.Importers[name].importerInstance?.getProgress()
 		else

--- a/packages/rocketchat-importer/server/methods/getSelectionData.coffee
+++ b/packages/rocketchat-importer/server/methods/getSelectionData.coffee
@@ -3,6 +3,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'getSelectionData' }

+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?.importerInstance?
 			progress = Importer.Importers[name].importerInstance.getProgress()
 			switch progress.step

--- a/packages/rocketchat-importer/server/methods/prepareImport.js
+++ b/packages/rocketchat-importer/server/methods/prepareImport.js
@@ -6,6 +6,10 @@ Meteor.methods({
 			throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'prepareImport' });
 		}

+		if (!RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')) {
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+		}
+
 		check(name, String);
 		check(dataURI, String);
 		check(fileName, String);

--- a/packages/rocketchat-importer/server/methods/restartImport.coffee
+++ b/packages/rocketchat-importer/server/methods/restartImport.coffee
@@ -3,6 +3,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'restartImport' }

+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?
 			importer = Importer.Importers[name]
 			importer.importerInstance.updateProgress Importer.ProgressStep.CANCELLED

--- a/packages/rocketchat-importer/server/methods/setupImporter.coffee
+++ b/packages/rocketchat-importer/server/methods/setupImporter.coffee
@@ -3,6 +3,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'setupImporter' }

+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?.importer?
 			importer = Importer.Importers[name]
 			# If they currently have progress, get it and return the progress.

--- a/packages/rocketchat-importer/server/methods/startImport.coffee
+++ b/packages/rocketchat-importer/server/methods/startImport.coffee
@@ -4,6 +4,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'startImport' }

+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?.importerInstance?
 			usersSelection = input.users.map (user) ->
 				return new Importer.SelectionUser user.user_id, user.username, user.email, user.is_deleted, user.is_bot, user.do_import