Permission to access setting permissions

redlink-gmbh · Nov 20, 2017 · 48b1076 · 48b1076
1 parent c87a30d
commit 48b1076
Show file tree

Hide file tree

Showing 8 changed files with 47 additions and 23 deletions.
diff --git a/packages/rocketchat-authorization/client/views/permissions.html b/packages/rocketchat-authorization/client/views/permissions.html
@@ -41,29 +41,33 @@
 						{{> permissionsTable permissions=permissions allRoles=roles}}
 					</div>
 				</div>
-				<div class="rocket-form">
-					<div class="section {{#unless settingPermissionExpanded}}section-collapsed{{/unless}}">
-						<div class="section-title">
-							<div class="section-title-text">
-								{{_ "setting-permissions"}}</div>
-							<div class="section-title-right">
-								<button class="button primary js-toggle-setting-permissions"><span>
-									{{#if settingPermissionExpanded }}
-										{{_ "Collapse"}}
-									{{else}}
-										{{_ "Expand"}}
-									{{/if}}
-								</span>
-								</button>
+				{{#if hasSettingPermission}}
+					<div class="rocket-form">
+						<div class="section {{#unless settingPermissionExpanded}}section-collapsed{{/unless}}">
+							<div class="section-title">
+								<div class="section-title-text">
+									{{_ "Setting_permissions"}}</div>
+								<div class="section-title-right">
+									<button class="button primary js-toggle-setting-permissions"><span>
+										{{#if settingPermissionExpanded }}
+											{{_ "Collapse"}}
+										{{else}}
+											{{_ "Expand"}}
+										{{/if}}
+									</span>
+									</button>
+								</div>
+							</div>
+							<div class="section-content border-component-color">
+								{{#if settingPermissionExpanded }}
+									{{> permissionsTable permissions=settingPermissions allRoles=roles}}
+								{{else}}
+									{{_ "Not_authorized"}}
+								{{/if}}
 							</div>
-						</div>
-						<div class="section-content border-component-color">
-							{{#if settingPermissionExpanded }}
-								{{> permissionsTable permissions=settingPermissions allRoles=roles}}
-							{{/if}}
 						</div>
 					</div>
-				</div>
+				{{/if}}
 			{{else}}
 				{{_ "Not_authorized"}}
 			{{/if}}

diff --git a/packages/rocketchat-authorization/client/views/permissions.js b/packages/rocketchat-authorization/client/views/permissions.js
@@ -26,6 +26,10 @@ Template.permissions.helpers({
 		return RocketChat.authz.hasAllPermission('access-permissions');
 	},
 
+	hasSettingPermission() {
+		return RocketChat.authz.hasAllPermission('access-setting-permissions');
+	},
+
 	settingPermissionExpanded() {
 		return Template.instance().settingPermissionsExpanded.get();
 	}

diff --git a/packages/rocketchat-authorization/server/methods/addPermissionToRole.js b/packages/rocketchat-authorization/server/methods/addPermissionToRole.js
@@ -1,12 +1,17 @@
+import {permissionLevel} from '../../lib/rocketchat';
+
 Meteor.methods({
 	'authorization:addPermissionToRole'(permission, role) {
-		if (!Meteor.userId() || !RocketChat.authz.hasPermission(Meteor.userId(), 'access-permissions')) {
+		if (!Meteor.userId() || !RocketChat.authz.hasPermission(Meteor.userId(), 'access-permissions')
+			|| (permission.level === permissionLevel.SETTING && !RocketChat.authz.hasPermission(Meteor.userId(), 'access-setting-permissions'))
+		) {
 			throw new Meteor.Error('error-action-not-allowed', 'Adding permission is not allowed', {
 				method: 'authorization:addPermissionToRole',
 				action: 'Adding_permission'
 			});
 		}
 
+		// for setting-based-permissions, authorize the group access as well
 		const addParentPermissions = function(permissionId, role) {
 			const permission = RocketChat.models.Permissions.findOneById(permissionId);
 			if (permission.groupPermissionId) {

diff --git a/packages/rocketchat-authorization/server/methods/removeRoleFromPermission.js b/packages/rocketchat-authorization/server/methods/removeRoleFromPermission.js
@@ -1,12 +1,18 @@
+import {permissionLevel} from '../../lib/rocketchat';
+
 Meteor.methods({
 	'authorization:removeRoleFromPermission'(permission, role) {
-		if (!Meteor.userId() || !RocketChat.authz.hasPermission(Meteor.userId(), 'access-permissions')) {
+		if (!Meteor.userId() || !RocketChat.authz.hasPermission(Meteor.userId(), 'access-permissions')
+			|| (permission.level === permissionLevel.SETTING && !RocketChat.authz.hasPermission(Meteor.userId(), 'access-setting-permissions'))
+		) {
 			throw new Meteor.Error('error-action-not-allowed', 'Accessing permissions is not allowed', {
 				method: 'authorization:removeRoleFromPermission',
 				action: 'Accessing_permissions'
 			});
 		}
 
+		// for setting based permissions, revoke the group permission once all setting permissions
+		// related to this group have been removed
 		const removeStaleParentPermissions = function(permissionId, role) {
 			const permission = RocketChat.models.Permissions.findOneById(permissionId);
 			if (permission.groupPermissionId) {

diff --git a/packages/rocketchat-authorization/server/publications/permissions.js b/packages/rocketchat-authorization/server/publications/permissions.js
@@ -28,7 +28,7 @@ Meteor.methods({
 		const records = RocketChat.models.Permissions.find({
 			level: permissionLevel.SETTING,
 			groupPermissionId: {$exists: true} //filter group permissions themselves, as they are being assigned implicitly
-		}, {}, {sort:{group: 1, section: 1}}).fetch();
+		}, {}, {sort: {group: 1, section: 1}}).fetch();
 
 		if (updatedAt instanceof Date) {
 			return {

diff --git a/packages/rocketchat-authorization/server/startup.js b/packages/rocketchat-authorization/server/startup.js
@@ -10,6 +10,7 @@ Meteor.startup(function() {
 	// 2. admin, moderator, and user roles should not be deleted as they are referened in the code.
 	const permissions = [
 		{_id: 'access-permissions', roles: ['admin']},
+		{_id: 'access-setting-permissions', roles: ['admin']},
 		{_id: 'add-oauth-service', roles: ['admin']},
 		{_id: 'add-user-to-joined-room', roles: ['admin', 'owner', 'moderator']},
 		{_id: 'add-user-to-any-c-room', roles: ['admin']},

diff --git a/packages/rocketchat-i18n/i18n/de.i18n.json b/packages/rocketchat-i18n/i18n/de.i18n.json
@@ -16,6 +16,7 @@
   "access-mailer_description": "Berechtigung, Massen-E-Mails an alle Benutzer zu versenden.",
   "access-permissions": "Zugriff auf die Berechtigungs-Übersicht",
   "access-permissions_description": "Anpassen der Berechtigungen für die unterschiedlichen Rollen.",
+  "access-setting-permissions": "Zugriff die Übersicht der Einstellungs-Berechtigungen",
   "Access_not_authorized": "Der Zugriff ist nicht gestattet.",
   "Access_Token_URL": "URL des Access-Token",
   "Accessing_permissions": "Zugriff auf Berechtigungen",
@@ -1573,6 +1574,7 @@
   "Set_as_leader": "Zum Diskussionsleiter ernennen",
   "Set_as_moderator": "Zum Moderator ernennen",
   "Set_as_owner": "Zum Besitzer machen",
+  "Setting_permissions": "Berechtigung, Einstellungen zu ändern",
   "Settings": "Einstellungen",
   "Settings_updated": "Die Einstellungen wurden aktualisiert",
   "Share_Location_Title": "Standort teilen?",

diff --git a/packages/rocketchat-i18n/i18n/en.i18n.json b/packages/rocketchat-i18n/i18n/en.i18n.json
@@ -16,6 +16,7 @@
   "access-mailer_description": "Permission to send mass email to all users.",
   "access-permissions": "Access Permissions Screen",
   "access-permissions_description": "Modify permissions for various roles.",
+  "access-setting-permissions": "Modify setting-based permissions",
   "Access_not_authorized": "Access not authorized",
   "Access_Token_URL": "Access Token URL",
   "Accessing_permissions": "Accessing permissions",
@@ -1606,6 +1607,7 @@
   "Set_as_leader": "Set as leader",
   "Set_as_moderator": "Set as moderator",
   "Set_as_owner": "Set as owner",
+  "Setting_permissions": "Permission to change settings",
   "Settings": "Settings",
   "Settings_updated": "Settings updated",
   "Share_Location_Title": "Share Location?",