From 7d2e696be9c77d6e45d6df9f6f1650f84ec65dc3 Mon Sep 17 00:00:00 2001
From: Bradley Hilton <graywolf336@craftyn.com>
Date: Thu, 23 Mar 2017 17:31:59 -0300
Subject: [PATCH] Add permission check to the import methods and not just the
 UI (#6400)

---
 .../server/methods/getImportProgress.coffee                   | 3 +++
 .../server/methods/getSelectionData.coffee                    | 3 +++
 packages/rocketchat-importer/server/methods/prepareImport.js  | 4 ++++
 .../rocketchat-importer/server/methods/restartImport.coffee   | 3 +++
 .../rocketchat-importer/server/methods/setupImporter.coffee   | 3 +++
 .../rocketchat-importer/server/methods/startImport.coffee     | 3 +++
 6 files changed, 19 insertions(+)

diff --git a/packages/rocketchat-importer/server/methods/getImportProgress.coffee b/packages/rocketchat-importer/server/methods/getImportProgress.coffee
index fc7da9170664..89ba39919b0e 100644
--- a/packages/rocketchat-importer/server/methods/getImportProgress.coffee
+++ b/packages/rocketchat-importer/server/methods/getImportProgress.coffee
@@ -3,6 +3,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'getImportProgress' }
 
+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?
 			return Importer.Importers[name].importerInstance?.getProgress()
 		else
diff --git a/packages/rocketchat-importer/server/methods/getSelectionData.coffee b/packages/rocketchat-importer/server/methods/getSelectionData.coffee
index 1ee9fabe75a1..8b4780c894a9 100644
--- a/packages/rocketchat-importer/server/methods/getSelectionData.coffee
+++ b/packages/rocketchat-importer/server/methods/getSelectionData.coffee
@@ -3,6 +3,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'getSelectionData' }
 
+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?.importerInstance?
 			progress = Importer.Importers[name].importerInstance.getProgress()
 			switch progress.step
diff --git a/packages/rocketchat-importer/server/methods/prepareImport.js b/packages/rocketchat-importer/server/methods/prepareImport.js
index 88b5ded9a7b4..73c5903daa4c 100644
--- a/packages/rocketchat-importer/server/methods/prepareImport.js
+++ b/packages/rocketchat-importer/server/methods/prepareImport.js
@@ -6,6 +6,10 @@ Meteor.methods({
 			throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'prepareImport' });
 		}
 
+		if (!RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')) {
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+		}
+
 		check(name, String);
 		check(dataURI, String);
 		check(fileName, String);
diff --git a/packages/rocketchat-importer/server/methods/restartImport.coffee b/packages/rocketchat-importer/server/methods/restartImport.coffee
index 7df99cb95fee..aff7a019b43c 100644
--- a/packages/rocketchat-importer/server/methods/restartImport.coffee
+++ b/packages/rocketchat-importer/server/methods/restartImport.coffee
@@ -3,6 +3,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'restartImport' }
 
+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?
 			importer = Importer.Importers[name]
 			importer.importerInstance.updateProgress Importer.ProgressStep.CANCELLED
diff --git a/packages/rocketchat-importer/server/methods/setupImporter.coffee b/packages/rocketchat-importer/server/methods/setupImporter.coffee
index 7e9e89e353a1..5ae12ab836c8 100644
--- a/packages/rocketchat-importer/server/methods/setupImporter.coffee
+++ b/packages/rocketchat-importer/server/methods/setupImporter.coffee
@@ -3,6 +3,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'setupImporter' }
 
+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?.importer?
 			importer = Importer.Importers[name]
 			# If they currently have progress, get it and return the progress.
diff --git a/packages/rocketchat-importer/server/methods/startImport.coffee b/packages/rocketchat-importer/server/methods/startImport.coffee
index edf55020ce7d..b119f6eb8a86 100644
--- a/packages/rocketchat-importer/server/methods/startImport.coffee
+++ b/packages/rocketchat-importer/server/methods/startImport.coffee
@@ -4,6 +4,9 @@ Meteor.methods
 		if not Meteor.userId()
 			throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'startImport' }
 
+		if not RocketChat.authz.hasPermission(Meteor.userId(), 'run-import')
+			throw new Meteor.Error('error-action-not-allowed', 'Importing is not allowed', { method: 'setupImporter'});
+
 		if Importer.Importers[name]?.importerInstance?
 			usersSelection = input.users.map (user) ->
 				return new Importer.SelectionUser user.user_id, user.username, user.email, user.is_deleted, user.is_bot, user.do_import