diff --git a/packages/rocketchat-authorization/client/views/permissions.html b/packages/rocketchat-authorization/client/views/permissions.html index b7382df1ac2f..5bdaf31c4328 100644 --- a/packages/rocketchat-authorization/client/views/permissions.html +++ b/packages/rocketchat-authorization/client/views/permissions.html @@ -41,29 +41,33 @@ {{> permissionsTable permissions=permissions allRoles=roles}} -
-
-
-
- {{_ "setting-permissions"}}
-
- + {{#if hasSettingPermission}} +
+
+
+
+ {{_ "Setting_permissions"}}
+
+ +
+
+
+ {{#if settingPermissionExpanded }} + {{> permissionsTable permissions=settingPermissions allRoles=roles}} + {{else}} + {{_ "Not_authorized"}} + {{/if}}
-
-
- {{#if settingPermissionExpanded }} - {{> permissionsTable permissions=settingPermissions allRoles=roles}} - {{/if}}
-
+ {{/if}} {{else}} {{_ "Not_authorized"}} {{/if}} diff --git a/packages/rocketchat-authorization/client/views/permissions.js b/packages/rocketchat-authorization/client/views/permissions.js index bd33ff69ec5c..143c253d8787 100644 --- a/packages/rocketchat-authorization/client/views/permissions.js +++ b/packages/rocketchat-authorization/client/views/permissions.js @@ -26,6 +26,10 @@ Template.permissions.helpers({ return RocketChat.authz.hasAllPermission('access-permissions'); }, + hasSettingPermission() { + return RocketChat.authz.hasAllPermission('access-setting-permissions'); + }, + settingPermissionExpanded() { return Template.instance().settingPermissionsExpanded.get(); } diff --git a/packages/rocketchat-authorization/server/methods/addPermissionToRole.js b/packages/rocketchat-authorization/server/methods/addPermissionToRole.js index 9fe4a94f2144..e2d2e85c2a9b 100644 --- a/packages/rocketchat-authorization/server/methods/addPermissionToRole.js +++ b/packages/rocketchat-authorization/server/methods/addPermissionToRole.js @@ -1,12 +1,17 @@ +import {permissionLevel} from '../../lib/rocketchat'; + Meteor.methods({ 'authorization:addPermissionToRole'(permission, role) { - if (!Meteor.userId() || !RocketChat.authz.hasPermission(Meteor.userId(), 'access-permissions')) { + if (!Meteor.userId() || !RocketChat.authz.hasPermission(Meteor.userId(), 'access-permissions') + || (permission.level === permissionLevel.SETTING && !RocketChat.authz.hasPermission(Meteor.userId(), 'access-setting-permissions')) + ) { throw new Meteor.Error('error-action-not-allowed', 'Adding permission is not allowed', { method: 'authorization:addPermissionToRole', action: 'Adding_permission' }); } + // for setting-based-permissions, authorize the group access as well const addParentPermissions = function(permissionId, role) { const permission = RocketChat.models.Permissions.findOneById(permissionId); if (permission.groupPermissionId) { diff --git a/packages/rocketchat-authorization/server/methods/removeRoleFromPermission.js b/packages/rocketchat-authorization/server/methods/removeRoleFromPermission.js index b48f9752d9f4..d9c828bba5fb 100644 --- a/packages/rocketchat-authorization/server/methods/removeRoleFromPermission.js +++ b/packages/rocketchat-authorization/server/methods/removeRoleFromPermission.js @@ -1,12 +1,18 @@ +import {permissionLevel} from '../../lib/rocketchat'; + Meteor.methods({ 'authorization:removeRoleFromPermission'(permission, role) { - if (!Meteor.userId() || !RocketChat.authz.hasPermission(Meteor.userId(), 'access-permissions')) { + if (!Meteor.userId() || !RocketChat.authz.hasPermission(Meteor.userId(), 'access-permissions') + || (permission.level === permissionLevel.SETTING && !RocketChat.authz.hasPermission(Meteor.userId(), 'access-setting-permissions')) + ) { throw new Meteor.Error('error-action-not-allowed', 'Accessing permissions is not allowed', { method: 'authorization:removeRoleFromPermission', action: 'Accessing_permissions' }); } + // for setting based permissions, revoke the group permission once all setting permissions + // related to this group have been removed const removeStaleParentPermissions = function(permissionId, role) { const permission = RocketChat.models.Permissions.findOneById(permissionId); if (permission.groupPermissionId) { diff --git a/packages/rocketchat-authorization/server/publications/permissions.js b/packages/rocketchat-authorization/server/publications/permissions.js index 1c967cfa7619..5963b532a048 100644 --- a/packages/rocketchat-authorization/server/publications/permissions.js +++ b/packages/rocketchat-authorization/server/publications/permissions.js @@ -28,7 +28,7 @@ Meteor.methods({ const records = RocketChat.models.Permissions.find({ level: permissionLevel.SETTING, groupPermissionId: {$exists: true} //filter group permissions themselves, as they are being assigned implicitly - }, {}, {sort:{group: 1, section: 1}}).fetch(); + }, {}, {sort: {group: 1, section: 1}}).fetch(); if (updatedAt instanceof Date) { return { diff --git a/packages/rocketchat-authorization/server/startup.js b/packages/rocketchat-authorization/server/startup.js index 23ad9738708c..f8e23016b3cd 100644 --- a/packages/rocketchat-authorization/server/startup.js +++ b/packages/rocketchat-authorization/server/startup.js @@ -10,6 +10,7 @@ Meteor.startup(function() { // 2. admin, moderator, and user roles should not be deleted as they are referened in the code. const permissions = [ {_id: 'access-permissions', roles: ['admin']}, + {_id: 'access-setting-permissions', roles: ['admin']}, {_id: 'add-oauth-service', roles: ['admin']}, {_id: 'add-user-to-joined-room', roles: ['admin', 'owner', 'moderator']}, {_id: 'add-user-to-any-c-room', roles: ['admin']}, diff --git a/packages/rocketchat-i18n/i18n/de.i18n.json b/packages/rocketchat-i18n/i18n/de.i18n.json index 1d5195f8380d..c3b0830d6c26 100644 --- a/packages/rocketchat-i18n/i18n/de.i18n.json +++ b/packages/rocketchat-i18n/i18n/de.i18n.json @@ -16,6 +16,7 @@ "access-mailer_description": "Berechtigung, Massen-E-Mails an alle Benutzer zu versenden.", "access-permissions": "Zugriff auf die Berechtigungs-Übersicht", "access-permissions_description": "Anpassen der Berechtigungen für die unterschiedlichen Rollen.", + "access-setting-permissions": "Zugriff die Übersicht der Einstellungs-Berechtigungen", "Access_not_authorized": "Der Zugriff ist nicht gestattet.", "Access_Token_URL": "URL des Access-Token", "Accessing_permissions": "Zugriff auf Berechtigungen", @@ -1573,6 +1574,7 @@ "Set_as_leader": "Zum Diskussionsleiter ernennen", "Set_as_moderator": "Zum Moderator ernennen", "Set_as_owner": "Zum Besitzer machen", + "Setting_permissions": "Berechtigung, Einstellungen zu ändern", "Settings": "Einstellungen", "Settings_updated": "Die Einstellungen wurden aktualisiert", "Share_Location_Title": "Standort teilen?", diff --git a/packages/rocketchat-i18n/i18n/en.i18n.json b/packages/rocketchat-i18n/i18n/en.i18n.json index 823a77f35cc5..ed9539cbee2e 100644 --- a/packages/rocketchat-i18n/i18n/en.i18n.json +++ b/packages/rocketchat-i18n/i18n/en.i18n.json @@ -16,6 +16,7 @@ "access-mailer_description": "Permission to send mass email to all users.", "access-permissions": "Access Permissions Screen", "access-permissions_description": "Modify permissions for various roles.", + "access-setting-permissions": "Modify setting-based permissions", "Access_not_authorized": "Access not authorized", "Access_Token_URL": "Access Token URL", "Accessing_permissions": "Accessing permissions", @@ -1606,6 +1607,7 @@ "Set_as_leader": "Set as leader", "Set_as_moderator": "Set as moderator", "Set_as_owner": "Set as owner", + "Setting_permissions": "Permission to change settings", "Settings": "Settings", "Settings_updated": "Settings updated", "Share_Location_Title": "Share Location?",