-
Notifications
You must be signed in to change notification settings - Fork 13.4k
Expand file tree
/
Copy pathaddUserToRole.ts
More file actions
95 lines (81 loc) · 3.1 KB
/
addUserToRole.ts
File metadata and controls
95 lines (81 loc) · 3.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
import { api } from '@rocket.chat/core-services';
import type { IRole, IUser } from '@rocket.chat/core-typings';
import type { ServerMethods } from '@rocket.chat/ddp-client';
import { Roles, Users } from '@rocket.chat/models';
import { Meteor } from 'meteor/meteor';
import { addUserRolesAsync } from '../../../../server/lib/roles/addUserRoles';
import { methodDeprecationLogger } from '../../../lib/server/lib/deprecationWarningLogger';
import { settings } from '../../../settings/server';
import { hasPermissionAsync } from '../functions/hasPermission';
declare module '@rocket.chat/ddp-client' {
// eslint-disable-next-line @typescript-eslint/naming-convention
interface ServerMethods {
'authorization:addUserToRole'(roleId: IRole['_id'], username: IUser['username'], scope: string | undefined): Promise<boolean>;
}
}
Meteor.methods<ServerMethods>({
async 'authorization:addUserToRole'(roleId: IRole['_id'], username: IUser['username'], scope) {
const userId = Meteor.userId();
if (!userId || !(await hasPermissionAsync(userId, 'access-permissions'))) {
throw new Meteor.Error('error-action-not-allowed', 'Accessing permissions is not allowed', {
method: 'authorization:addUserToRole',
action: 'Accessing_permissions',
});
}
if (!roleId || typeof roleId.valueOf() !== 'string' || !username || typeof username.valueOf() !== 'string') {
throw new Meteor.Error('error-invalid-arguments', 'Invalid arguments', {
method: 'authorization:addUserToRole',
});
}
let role = await Roles.findOneById<Pick<IRole, '_id'>>(roleId, { projection: { _id: 1 } });
if (!role) {
role = await Roles.findOneByName<Pick<IRole, '_id'>>(roleId, { projection: { _id: 1 } });
if (!role) {
throw new Meteor.Error('error-invalid-role', 'Invalid Role', {
method: 'authorization:addUserToRole',
});
}
methodDeprecationLogger.deprecatedParameterUsage(
'authorization:addUserToRole',
'role',
'7.0.0',
({ parameter, method, version }) => `Calling ${method} with \`${parameter}\` names is deprecated and will be removed ${version}`,
);
}
if (role._id === 'admin' && !(await hasPermissionAsync(userId, 'assign-admin-role'))) {
throw new Meteor.Error('error-action-not-allowed', 'Assigning admin is not allowed', {
method: 'authorization:addUserToRole',
action: 'Assign_admin',
});
}
const user = await Users.findOneByUsernameIgnoringCase(username, {
projection: {
_id: 1,
},
});
if (!user?._id) {
throw new Meteor.Error('error-user-not-found', 'User not found', {
method: 'authorization:addUserToRole',
});
}
// verify if user can be added to given scope
if (scope && !(await Roles.canAddUserToRole(user._id, role._id, scope))) {
throw new Meteor.Error('error-invalid-user', 'User is not part of given room', {
method: 'authorization:addUserToRole',
});
}
const add = await addUserRolesAsync(user._id, [role._id], scope);
if (settings.get('UI_DisplayRoles')) {
void api.broadcast('user.roleUpdate', {
type: 'added',
_id: role._id,
u: {
_id: user._id,
username,
},
scope,
});
}
return add;
},
});