regression(federation): enhance user authorization checks for federation access (#37965)

ggazzo · sampaiodiego · web-flow · commit cf748a6faf62 · 2025-12-29T10:16:01.000-03:00
Co-authored-by: Diego Sampaio &lt;chinello@gmail.com&gt;
diff --git a/apps/meteor/app/lib/server/functions/createRoom.ts b/apps/meteor/app/lib/server/functions/createRoom.ts
@@ -2,7 +2,7 @@ import { AppEvents, Apps } from '@rocket.chat/apps';
 import { AppsEngineException } from '@rocket.chat/apps-engine/definition/exceptions';
 import { FederationMatrix, Message, Room, Team } from '@rocket.chat/core-services';
 import type { ICreateRoomParams, ISubscriptionExtraData } from '@rocket.chat/core-services';
-import type { ICreatedRoom, IUser, IRoom, RoomType } from '@rocket.chat/core-typings';
+import { type ICreatedRoom, type IUser, type IRoom, type RoomType, isUserNativeFederated } from '@rocket.chat/core-typings';
 import { Rooms, Subscriptions, Users } from '@rocket.chat/models';
 import { Meteor } from 'meteor/meteor';
 
@@ -184,7 +184,12 @@ export const createRoom = async <T extends RoomType>(
 
 	const shouldBeHandledByFederation = extraData.federated === true;
 
-	if (shouldBeHandledByFederation && owner && !(await hasPermissionAsync(owner._id, 'access-federation'))) {
+	if (
+		shouldBeHandledByFederation &&
+		owner &&
+		!isUserNativeFederated(owner) &&
+		!(await hasPermissionAsync(owner._id, 'access-federation'))
+	) {
 		throw new Meteor.Error('error-not-authorized-federation', 'Not authorized to access federation', {
 			method: 'createRoom',
 		});
diff --git a/apps/meteor/app/lib/server/functions/getRoomByNameOrIdWithOptionToJoin.ts b/apps/meteor/app/lib/server/functions/getRoomByNameOrIdWithOptionToJoin.ts
@@ -14,7 +14,7 @@ export const getRoomByNameOrIdWithOptionToJoin = async ({
 	joinChannel = true,
 	errorOnEmpty = true,
 }: {
-	user: Pick<IUser, '_id' | 'username'>;
+	user: Pick<IUser, '_id' | 'username' | 'federated' | 'federation'>;
 	nameOrId: string;
 	type?: RoomType;
 	tryDirectByUserIdOnly?: boolean;
diff --git a/apps/meteor/app/lib/server/methods/joinRoom.ts b/apps/meteor/app/lib/server/methods/joinRoom.ts
@@ -16,8 +16,8 @@ Meteor.methods<ServerMethods>({
 	async joinRoom(rid, code) {
 		check(rid, String);
 
-		const userId = await Meteor.userId();
-		if (!userId) {
+		const user = await Meteor.userAsync();
+		if (!user) {
 			throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'joinRoom' });
 		}
 
@@ -26,6 +26,6 @@ Meteor.methods<ServerMethods>({
 			throw new Meteor.Error('error-invalid-room', 'Invalid room', { method: 'joinRoom' });
 		}
 
-		return Room.join({ room, user: { _id: userId }, ...(code ? { joinCode: code } : {}) });
+		return Room.join({ room, user, ...(code ? { joinCode: code } : {}) });
 	},
 });
diff --git a/apps/meteor/app/slashcommands-join/server/server.ts b/apps/meteor/app/slashcommands-join/server/server.ts
@@ -1,6 +1,6 @@
 import { api, Room } from '@rocket.chat/core-services';
 import type { SlashCommandCallbackParams } from '@rocket.chat/core-typings';
-import { Rooms, Subscriptions } from '@rocket.chat/models';
+import { Rooms, Subscriptions, Users } from '@rocket.chat/models';
 import { Meteor } from 'meteor/meteor';
 
 import { i18n } from '../../../server/lib/i18n';
@@ -43,7 +43,13 @@ slashCommands.add({
 			});
 		}
 
-		await Room.join({ room, user: { _id: userId } });
+		const user = await Users.findOneById(userId, { projection: { federated: 1, federation: 1 } });
+		if (!user) {
+			throw new Meteor.Error('error-invalid-user', 'Invalid user', {
+				method: 'slashCommands',
+			});
+		}
+		await Room.join({ room, user });
 	},
 	options: {
 		description: 'Join_the_given_channel',
diff --git a/apps/meteor/ee/server/hooks/federation/index.ts b/apps/meteor/ee/server/hooks/federation/index.ts
@@ -112,8 +112,7 @@ beforeAddUserToRoom.add(
 			return;
 		}
 
-		// TODO should we really check for "user" here? it is potentially an external user
-		if (!(await Authorization.hasPermission(user._id, 'access-federation'))) {
+		if (!isUserNativeFederated(user) && !(await Authorization.hasPermission(user._id, 'access-federation'))) {
 			throw new MeteorError('error-not-authorized-federation', 'Not authorized to access federation');
 		}
 
diff --git a/apps/meteor/server/services/room/service.ts b/apps/meteor/server/services/room/service.ts
@@ -9,6 +9,7 @@ import {
 	isOmnichannelRoom,
 	isRoomWithJoinCode,
 } from '@rocket.chat/core-typings';
+import { isUserNativeFederated } from '@rocket.chat/core-typings';
 import { Rooms, Subscriptions, Users } from '@rocket.chat/models';
 
 import { getNameForDMs } from './getNameForDMs';
@@ -148,7 +149,7 @@ export class RoomService extends ServiceClassInternal implements IRoomService {
 	/**
 	 * Method called by users to join a room.
 	 */
-	async join({ room, user, joinCode }: { room: IRoom; user: Pick<IUser, '_id'>; joinCode?: string }) {
+	async join({ room, user, joinCode }: { room: IRoom; user: Pick<IUser, '_id' | 'federated' | 'federation'>; joinCode?: string }) {
 		if (!(await roomCoordinator.getRoomDirectives(room.t)?.allowMemberAction(room, RoomMemberActions.JOIN, user._id))) {
 			throw new MeteorError('error-not-allowed', 'Not allowed', { method: 'joinRoom' });
 		}
@@ -161,7 +162,11 @@ export class RoomService extends ServiceClassInternal implements IRoomService {
 			throw new MeteorError('error-not-allowed', 'Not allowed', { method: 'joinRoom' });
 		}
 
-		if (FederationActions.shouldPerformFederationAction(room) && !(await Authorization.hasPermission(user._id, 'access-federation'))) {
+		if (
+			FederationActions.shouldPerformFederationAction(room) &&
+			!isUserNativeFederated(user) &&
+			!(await Authorization.hasPermission(user._id, 'access-federation'))
+		) {
 			throw new MeteorError('error-not-authorized-federation', 'Not authorized to access federation', { method: 'joinRoom' });
 		}
 
diff --git a/ee/packages/federation-matrix/tests/end-to-end/dms.spec.ts b/ee/packages/federation-matrix/tests/end-to-end/dms.spec.ts
@@ -10,18 +10,7 @@ import { IS_EE } from '../../../../../apps/meteor/tests/e2e/config/constants';
 import { retry } from '../../../../../apps/meteor/tests/end-to-end/api/helpers/retry';
 import { federationConfig } from '../helper/config';
 import { SynapseClient } from '../helper/synapse-client';
-
-function withTimeout<T>(fn: (signal: AbortSignal) => Promise<T>, ms: number): Promise<T> {
-	const controller = new AbortController();
-
-	const timeoutId = setTimeout(() => {
-		controller.abort();
-	}, ms);
-
-	return fn(controller.signal).finally(() => {
-		clearTimeout(timeoutId);
-	});
-}
+import { withTimeout } from '../helper/withTimeout';
 
 const waitForRoomEvent = async (
 	room: Room,
diff --git a/ee/packages/federation-matrix/tests/end-to-end/permissions.spec.ts b/ee/packages/federation-matrix/tests/end-to-end/permissions.spec.ts
diff --git a/ee/packages/federation-matrix/tests/helper/withTimeout.ts b/ee/packages/federation-matrix/tests/helper/withTimeout.ts
diff --git a/packages/core-services/src/types/IRoomService.ts b/packages/core-services/src/types/IRoomService.ts

Original file line number	Diff line number	Diff line change
`@@ -112,8 +112,7 @@ beforeAddUserToRoom.add(`
`112`	`112`	`return;`
`113`	`113`	`}`
`114`	`114`
`115`		`- // TODO should we really check for "user" here? it is potentially an external user`
`116`		`- if (!(await Authorization.hasPermission(user._id, 'access-federation'))) {`
	`115`	`+ if (!isUserNativeFederated(user) && !(await Authorization.hasPermission(user._id, 'access-federation'))) {`
`117`	`116`	`throw new MeteorError('error-not-authorized-federation', 'Not authorized to access federation');`
`118`	`117`	`}`
`119`	`118`