Add permission check to the import methods and not just the UI (#6400)

RocketChat · Mar 23, 2017 · 7d2e696 · 7d2e696
1 parent 20695fa
commit 7d2e696
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 0 deletions.
diff --git a/packages/rocketchat-importer/server/methods/getImportProgress.coffee b/packages/rocketchat-importer/server/methods/getImportProgress.coffee
@@ -3,6 +3,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'getImportProgress' }
 
+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?
 			return Importer.Importers[name].importerInstance?.getProgress()
 		else

diff --git a/packages/rocketchat-importer/server/methods/getSelectionData.coffee b/packages/rocketchat-importer/server/methods/getSelectionData.coffee
@@ -3,6 +3,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'getSelectionData' }
 
+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?.importerInstance?
 			progress = Importer.Importers[name].importerInstance.getProgress()
 			switch progress.step

diff --git a/packages/rocketchat-importer/server/methods/prepareImport.js b/packages/rocketchat-importer/server/methods/prepareImport.js
@@ -6,6 +6,10 @@ Meteor.methods({
 			throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'prepareImport' });
 		}
 
+		if (!RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')) {
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+		}
+
 		check(name, String);
 		check(dataURI, String);
 		check(fileName, String);

diff --git a/packages/rocketchat-importer/server/methods/restartImport.coffee b/packages/rocketchat-importer/server/methods/restartImport.coffee
@@ -3,6 +3,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'restartImport' }
 
+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?
 			importer = Importer.Importers[name]
 			importer.importerInstance.updateProgress Importer.ProgressStep.CANCELLED

diff --git a/packages/rocketchat-importer/server/methods/setupImporter.coffee b/packages/rocketchat-importer/server/methods/setupImporter.coffee
@@ -3,6 +3,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'setupImporter' }
 
+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?.importer?
 			importer = Importer.Importers[name]
 			# If they currently have progress, get it and return the progress.

diff --git a/packages/rocketchat-importer/server/methods/startImport.coffee b/packages/rocketchat-importer/server/methods/startImport.coffee
@@ -4,6 +4,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'startImport' }
 
+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?.importerInstance?
 			usersSelection = input.users.map (user) ->
 				return new Importer.SelectionUser user.user_id, user.username, user.email, user.is_deleted, user.is_bot, user.do_import