Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

It's possible to pin messages without having permission (Meteor method) #12535

Closed
rafaelks opened this issue Nov 5, 2018 · 1 comment
Closed

It's possible to pin messages without having permission (Meteor method) #12535

rafaelks opened this issue Nov 5, 2018 · 1 comment
Labels
feat: roles / permissions type: bug

Comments

@rafaelks
Copy link
Contributor

rafaelks commented Nov 5, 2018

Description:

The Meteor method is not checking or user's permissions before pinning the message.

Rocket.Chat/packages/rocketchat-message-pin/server/pinMessage.js

Lines 23 to 101 in 6e88d4d

pinMessage(message, pinnedAt) {
const userId = Meteor.userId();
if (!userId) {
throw new Meteor.Error('error-invalid-user', 'Invalid user', {
method: 'pinMessage',
});
}
if (!RocketChat.settings.get('Message_AllowPinning')) {
throw new Meteor.Error('error-action-not-allowed', 'Message pinning not allowed', {
method: 'pinMessage',
action: 'Message_pinning',
});
}
const subscription = RocketChat.models.Subscriptions.findOneByRoomIdAndUserId(message.rid, Meteor.userId(), { fields: { _id: 1 } });
if (!subscription) {
return false;
}
let originalMessage = RocketChat.models.Messages.findOneById(message._id);
if (originalMessage == null || originalMessage._id == null) {
throw new Meteor.Error('error-invalid-message', 'Message you are pinning was not found', {
method: 'pinMessage',
action: 'Message_pinning',
});
}
// If we keep history of edits, insert a new message to store history information
if (RocketChat.settings.get('Message_KeepHistory')) {
RocketChat.models.Messages.cloneAndSaveAsHistoryById(message._id);
}
const room = Meteor.call('canAccessRoom', message.rid, Meteor.userId());
const me = RocketChat.models.Users.findOneById(userId);
originalMessage.pinned = true;
originalMessage.pinnedAt = pinnedAt || Date.now;
originalMessage.pinnedBy = {
_id: userId,
username: me.username,
};
originalMessage = RocketChat.callbacks.run('beforeSaveMessage', originalMessage);
RocketChat.models.Messages.setPinnedByIdAndUserId(originalMessage._id, originalMessage.pinnedBy, originalMessage.pinned);
if (RocketChat.isTheLastMessage(room, message)) {
RocketChat.models.Rooms.setLastMessagePinned(room._id, originalMessage.pinnedBy, originalMessage.pinned);
}
const attachments = [];
if (Array.isArray(originalMessage.attachments)) {
originalMessage.attachments.forEach((attachment) => {
if (!attachment.message_link || shouldAdd(attachments, attachment)) {
attachments.push(attachment);
}
});
}
return RocketChat.models.Messages.createWithTypeRoomIdMessageAndUser(
'message_pinned',
originalMessage.rid,
'',
me,
{
attachments: [
{
text: originalMessage.msg,
author_name: originalMessage.u.username,
author_icon: getAvatarUrlFromUsername(
originalMessage.u.username
),
ts: originalMessage.ts,
attachments: recursiveRemove(attachments),
},
],
}
);
},

@rafaelks rafaelks mentioned this issue Nov 5, 2018
Closed
@rafaelks
Copy link
Contributor Author

rafaelks commented Nov 5, 2018

Looks like unpin is also possible:

Rocket.Chat/packages/rocketchat-message-pin/server/pinMessage.js

Lines 102 to 148 in 6e88d4d

unpinMessage(message) {
if (!Meteor.userId()) {
throw new Meteor.Error('error-invalid-user', 'Invalid user', {
method: 'unpinMessage',
});
}
if (!RocketChat.settings.get('Message_AllowPinning')) {
throw new Meteor.Error('error-action-not-allowed', 'Message pinning not allowed', {
method: 'unpinMessage',
action: 'Message_pinning',
});
}
const subscription = RocketChat.models.Subscriptions.findOneByRoomIdAndUserId(message.rid, Meteor.userId(), { fields: { _id: 1 } });
if (!subscription) {
return false;
}
let originalMessage = RocketChat.models.Messages.findOneById(message._id);
if (originalMessage == null || originalMessage._id == null) {
throw new Meteor.Error('error-invalid-message', 'Message you are unpinning was not found', {
method: 'unpinMessage',
action: 'Message_pinning',
});
}
// If we keep history of edits, insert a new message to store history information
if (RocketChat.settings.get('Message_KeepHistory')) {
RocketChat.models.Messages.cloneAndSaveAsHistoryById(originalMessage._id);
}
const me = RocketChat.models.Users.findOneById(Meteor.userId());
originalMessage.pinned = false;
originalMessage.pinnedBy = {
_id: Meteor.userId(),
username: me.username,
};
originalMessage = RocketChat.callbacks.run('beforeSaveMessage', originalMessage);
const room = Meteor.call('canAccessRoom', message.rid, Meteor.userId());
if (RocketChat.isTheLastMessage(room, message)) {
RocketChat.models.Rooms.setLastMessagePinned(room._id, originalMessage.pinnedBy, originalMessage.pinned);
}
return RocketChat.models.Messages.setPinnedByIdAndUserId(originalMessage._id, originalMessage.pinnedBy, originalMessage.pinned);
},
.

@MarcosSpessatto MarcosSpessatto mentioned this issue Nov 27, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat: roles / permissions type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rafaelks @tassoevan