From ec396041264b2b414678232483701ffcf9cd6423 Mon Sep 17 00:00:00 2001
From: Diego Sampaio <chinello@gmail.com>
Date: Mon, 30 Nov 2015 20:52:04 -0200
Subject: [PATCH] improved permission check on permissions manager pages

---
 .../client/views/permissions.coffee           |   3 +
 .../client/views/permissions.html             |  36 +++---
 .../client/views/permissionsRole.coffee       |   3 +
 .../client/views/permissionsRole.html         | 110 +++++++++---------
 .../server/methods/addPermissionToRole.coffee |   5 +-
 .../methods/removeRoleFromPermission.coffee   |   5 +-
 6 files changed, 91 insertions(+), 71 deletions(-)

diff --git a/packages/rocketchat-authorization/client/views/permissions.coffee b/packages/rocketchat-authorization/client/views/permissions.coffee
index 8d4d7dcbbe8..f8420e316e9 100644
--- a/packages/rocketchat-authorization/client/views/permissions.coffee
+++ b/packages/rocketchat-authorization/client/views/permissions.coffee
@@ -10,6 +10,9 @@ Template.permissions.helpers
 		if roles?
 			return 'checked' if roles.indexOf(@name) isnt -1
 
+	hasPermission: ->
+		return RocketChat.authz.hasAllPermission 'access-rocket-permissions'
+
 Template.permissions.events
 	'click .role-permission': (e, instance) ->
 		permission = e.currentTarget.getAttribute('data-permission')
diff --git a/packages/rocketchat-authorization/client/views/permissions.html b/packages/rocketchat-authorization/client/views/permissions.html
index 0115efefdb6..ad9bc027f65 100644
--- a/packages/rocketchat-authorization/client/views/permissions.html
+++ b/packages/rocketchat-authorization/client/views/permissions.html
@@ -1,24 +1,28 @@
 <template name="permissions">
-	<h1>{{_ "Permissions"}}</h1>
+	{{#if hasPermission}}
+		<h1>{{_ "Permissions"}}</h1>
 
-	<a href="{{pathFor "rocket-permissions-new"}}" class="button primary new-role">{{_ "New_role"}}</a>
+		<a href="{{pathFor "rocket-permissions-new"}}" class="button primary new-role">{{_ "New_role"}}</a>
 
-	<table border="1">
-		<tr>
-			<td>&nbsp;</td>
-			{{#each role}}
-				<td title="{{description}}"><a href="{{pathFor "rocket-permissions-edit" name=name}}">{{name}}</a></td>
-			{{/each}}
-		</tr>
-		{{#each permission}}
+		<table border="1">
 			<tr>
-				<td>{{_id}}</td>
+				<td>&nbsp;</td>
 				{{#each role}}
-					<td>
-						<input type="checkbox" name="perm[{{_id}}][{{../_id}}]" class="role-permission" value="1" checked="{{granted ../roles ../_id}}" data-role="{{name}}" data-permission="{{../_id}}">
-					</td>
+					<td title="{{description}}"><a href="{{pathFor "rocket-permissions-edit" name=name}}">{{name}}</a></td>
 				{{/each}}
 			</tr>
-		{{/each}}
-	</table>
+			{{#each permission}}
+				<tr>
+					<td>{{_id}}</td>
+					{{#each role}}
+						<td>
+							<input type="checkbox" name="perm[{{_id}}][{{../_id}}]" class="role-permission" value="1" checked="{{granted ../roles ../_id}}" data-role="{{name}}" data-permission="{{../_id}}">
+						</td>
+					{{/each}}
+				</tr>
+			{{/each}}
+		</table>
+	{{else}}
+		{{_ "Not_authorized"}}
+	{{/if}}
 </template>
diff --git a/packages/rocketchat-authorization/client/views/permissionsRole.coffee b/packages/rocketchat-authorization/client/views/permissionsRole.coffee
index c079659410f..590b2cf58f3 100644
--- a/packages/rocketchat-authorization/client/views/permissionsRole.coffee
+++ b/packages/rocketchat-authorization/client/views/permissionsRole.coffee
@@ -14,6 +14,9 @@ Template.permissionsRole.helpers
 		if @emails?.length > 0
 			return @emails[0].address
 
+	hasPermission: ->
+		return RocketChat.authz.hasAllPermission 'access-rocket-permissions'
+
 Template.permissionsRole.events
 
 	'click .remove-user': (e, instance) ->
diff --git a/packages/rocketchat-authorization/client/views/permissionsRole.html b/packages/rocketchat-authorization/client/views/permissionsRole.html
index 1fb609282d9..5677bff22b2 100644
--- a/packages/rocketchat-authorization/client/views/permissionsRole.html
+++ b/packages/rocketchat-authorization/client/views/permissionsRole.html
@@ -1,61 +1,65 @@
 <template name="permissionsRole">
-	<a href="{{pathFor "rocket-permissions"}}">{{_ "Back_to_permissions"}}</a><br><br>
+	{{#if hasPermission}}
+		<a href="{{pathFor "rocket-permissions"}}">{{_ "Back_to_permissions"}}</a><br><br>
 
-	{{#with role}}
-		<form id="form-role" class="inline">
-			<label>{{_ "Role"}}</label>:
-				{{#if editing}}
-					<span>{{name}}</span>
-				{{else}}
-					<input type="text" name="name" value="">
-				{{/if}}
-			<br>
-			<label>{{_ "Description"}}</label>:
-				<input type="text" name="description" value="{{description}}">
-			<br>
+		{{#with role}}
+			<form id="form-role" class="inline">
+				<label>{{_ "Role"}}</label>:
+					{{#if editing}}
+						<span>{{name}}</span>
+					{{else}}
+						<input type="text" name="name" value="">
+					{{/if}}
+				<br>
+				<label>{{_ "Description"}}</label>:
+					<input type="text" name="description" value="{{description}}">
+				<br>
 
-			<button name="save" class="button primary">{{_ "Save"}}</button>
+				<button name="save" class="button primary">{{_ "Save"}}</button>
 
-			{{#unless protected}}
-				<button name="delete" class="button red delete-role">{{_ "Delete"}}</button>
-			{{/unless}}
-		</form>
-	{{/with}}
+				{{#unless protected}}
+					<button name="delete" class="button red delete-role">{{_ "Delete"}}</button>
+				{{/unless}}
+			</form>
+		{{/with}}
 
-	{{#if editing}}
-		<h2>{{_ "Users_in_role"}}</h2>
-		<form id="form-users" class="inline">
-			<label>{{_ "Add_user"}}</label>
-			<input type="text" name="username" placeholder="{{_ "Enter_a_username"}}">
-			<button name="add" class="button primary">{{_ "Add"}}</button>
-		</form>
-		<div class="list">
-			<table>
-				<thead>
-					<tr>
-						<th>&nbsp;</th>
-						<th width="34%">{{_ "Name"}}</th>
-						<th width="33%">{{_ "Username"}}</th>
-						<th width="33%">{{_ "E-mail"}}</th>
-						<th>&nbsp;</th>
-					</tr>
-				</thead>
-				<tbody>
-					{{#each userInRole}}
-						<tr class="user-info" data-id="{{_id}}">
-							<td>
-								<div class="user-image status-{{status}}">
-									{{> avatar username=username}}
-								</div>
-							</td>
-							<td>{{name}}</td>
-							<td>{{username}}</td>
-							<td>{{emailAddress}}</td>
-							<td><a href="#remove" class="remove-user"><i class="icon-block"></i></a></td>
+		{{#if editing}}
+			<h2>{{_ "Users_in_role"}}</h2>
+			<form id="form-users" class="inline">
+				<label>{{_ "Add_user"}}</label>
+				<input type="text" name="username" placeholder="{{_ "Enter_a_username"}}">
+				<button name="add" class="button primary">{{_ "Add"}}</button>
+			</form>
+			<div class="list">
+				<table>
+					<thead>
+						<tr>
+							<th>&nbsp;</th>
+							<th width="34%">{{_ "Name"}}</th>
+							<th width="33%">{{_ "Username"}}</th>
+							<th width="33%">{{_ "E-mail"}}</th>
+							<th>&nbsp;</th>
 						</tr>
-					{{/each}}
-				</tbody>
-			</table>
-		</div>
+					</thead>
+					<tbody>
+						{{#each userInRole}}
+							<tr class="user-info" data-id="{{_id}}">
+								<td>
+									<div class="user-image status-{{status}}">
+										{{> avatar username=username}}
+									</div>
+								</td>
+								<td>{{name}}</td>
+								<td>{{username}}</td>
+								<td>{{emailAddress}}</td>
+								<td><a href="#remove" class="remove-user"><i class="icon-block"></i></a></td>
+							</tr>
+						{{/each}}
+					</tbody>
+				</table>
+			</div>
+		{{/if}}
+	{{else}}
+		{{_ "Not_authorized"}}
 	{{/if}}
 </template>
diff --git a/packages/rocketchat-authorization/server/methods/addPermissionToRole.coffee b/packages/rocketchat-authorization/server/methods/addPermissionToRole.coffee
index db3901161a4..693a1b3e420 100644
--- a/packages/rocketchat-authorization/server/methods/addPermissionToRole.coffee
+++ b/packages/rocketchat-authorization/server/methods/addPermissionToRole.coffee
@@ -1,5 +1,8 @@
 Meteor.methods
 	'authorization:addPermissionToRole': (permission, role) ->
-		# @TODO permission check
+		if not Meteor.userId() or not RocketChat.authz.hasPermission Meteor.userId(), 'access-rocket-permissions'
+			throw new Meteor.Error "not-authorized"
+
+		console.log '[methods] authorization:addPermissionToRole -> '.green, 'arguments:', arguments
 
 		RocketChat.models.Permissions.addRole permission, role
diff --git a/packages/rocketchat-authorization/server/methods/removeRoleFromPermission.coffee b/packages/rocketchat-authorization/server/methods/removeRoleFromPermission.coffee
index 3289eb28f5d..8acad5b971a 100644
--- a/packages/rocketchat-authorization/server/methods/removeRoleFromPermission.coffee
+++ b/packages/rocketchat-authorization/server/methods/removeRoleFromPermission.coffee
@@ -1,5 +1,8 @@
 Meteor.methods
 	'authorization:removeRoleFromPermission': (permission, role) ->
-		# @TODO permission check
+		if not Meteor.userId() or not RocketChat.authz.hasPermission Meteor.userId(), 'access-rocket-permissions'
+			throw new Meteor.Error "not-authorized"
+
+		console.log '[methods] authorization:removeRoleFromPermission -> '.green, 'arguments:', arguments
 
 		RocketChat.models.Permissions.removeRole permission, role
-- 
GitLab