From 91125cc356a676651987c8bf2c8bcc9eec992536 Mon Sep 17 00:00:00 2001
From: Diego Sampaio <chinello@gmail.com>
Date: Mon, 30 Nov 2015 10:54:23 -0200
Subject: [PATCH] authz publications security

---
 .../rocketchat-authorization/server/publications/roles.coffee  | 3 ++-
 .../server/publications/usersInRole.coffee                     | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/packages/rocketchat-authorization/server/publications/roles.coffee b/packages/rocketchat-authorization/server/publications/roles.coffee
index 4b2dc50d8ae..6a2c35852d4 100644
--- a/packages/rocketchat-authorization/server/publications/roles.coffee
+++ b/packages/rocketchat-authorization/server/publications/roles.coffee
@@ -2,6 +2,7 @@ Meteor.publish 'roles', ->
 	unless @userId
 		return @ready()
 
-	# @TODO validate permission
+	if not RocketChat.authz.hasPermission @userId, 'access-rocket-permissions'
+		throw new Meteor.Error "not-authorized"
 
 	return RocketChat.authz.getRoles()
diff --git a/packages/rocketchat-authorization/server/publications/usersInRole.coffee b/packages/rocketchat-authorization/server/publications/usersInRole.coffee
index 1fbdc57cad5..089cea8e671 100644
--- a/packages/rocketchat-authorization/server/publications/usersInRole.coffee
+++ b/packages/rocketchat-authorization/server/publications/usersInRole.coffee
@@ -2,6 +2,7 @@ Meteor.publish 'usersInRole', (roleName) ->
 	unless @userId
 		return @ready()
 
-	# @TODO validate permission
+	if not RocketChat.authz.hasPermission @userId, 'access-rocket-permissions'
+		throw new Meteor.Error "not-authorized"
 
 	return RocketChat.authz.getUsersInRole roleName
-- 
GitLab