RocketChat · d-gubert · Oct 14, 2022 · Sep 2, 2022 · Sep 2, 2022 · Sep 2, 2022
diff --git a/HISTORY.md b/HISTORY.md
diff --git a/apps/meteor/.docker/Dockerfile.rhel b/apps/meteor/.docker/Dockerfile.rhel
@@ -1,6 +1,6 @@
 FROM registry.access.redhat.com/ubi8/nodejs-12
 
-ENV RC_VERSION 5.1.4
+ENV RC_VERSION 5.2.0
 
 MAINTAINER buildmaster@rocket.chat
 

diff --git a/apps/meteor/.mocharc.js b/apps/meteor/.mocharc.js
@@ -24,6 +24,7 @@ module.exports = {
 	...base, // see https://github.com/mochajs/mocha/issues/3916
 	exit: true,
 	spec: [
+		'ee/server/lib/ldap/*.spec.ts',
 		'ee/tests/**/*.tests.ts',
 		'ee/tests/**/*.spec.ts',
 		'tests/unit/app/**/*.spec.ts',

@@ -139,6 +139,7 @@ type ActionThis<TMethod extends Method, TPathPattern extends PathPattern, TOptio
 		me: IUser,
 	): TOptions extends { authRequired: true } ? UserInfo : TOptions extends { authOrAnonRequired: true } ? UserInfo | undefined : undefined;
 	composeRoomWithLastMessage(room: IRoom, userId: string): IRoom;
+	isWidget(): boolean;
 } & (TOptions extends { authRequired: true }
 	? {
 			readonly user: IUser;

@@ -1,5 +1,5 @@
 import { API } from '../api';
 
 API.helperMethods.set('requestParams', function _requestParams(this: any) {
-	return ['POST', 'PUT'].includes(this.request.method) ? this.bodyParams : this.queryParams;
+	return ['POST', 'PUT', 'DELETE'].includes(this.request.method) ? this.bodyParams : this.queryParams;
 });
@@ -2,15 +2,12 @@ import type { IEmailInbox } from '@rocket.chat/core-typings';
 import type { Filter, InsertOneResult, Sort, UpdateResult, WithId } from 'mongodb';
 import { EmailInbox } from '@rocket.chat/models';
 
-import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { Users } from '../../../models/server';
 
 export const findEmailInboxes = async ({
-	userId,
 	query = {},
 	pagination: { offset, count, sort },
 }: {
-	userId: string;
 	query?: Filter<IEmailInbox>;
 	pagination: {
 		offset: number;
@@ -23,9 +20,6 @@ export const findEmailInboxes = async ({
 	count: number;
 	offset: number;
 }> => {
-	if (!(await hasPermissionAsync(userId, 'manage-email-inbox'))) {
-		throw new Error('error-not-allowed');
-	}
 	const { cursor, totalCount } = EmailInbox.findPaginated(query, {
 		sort: sort || { name: 1 },
 		skip: offset,
@@ -42,10 +36,7 @@ export const findEmailInboxes = async ({
 	};
 };
 
-export const findOneEmailInbox = async ({ userId, _id }: { userId: string; _id: string }): Promise<IEmailInbox | null> => {
-	if (!(await hasPermissionAsync(userId, 'manage-email-inbox'))) {
-		throw new Error('error-not-allowed');
-	}
+export const findOneEmailInbox = async ({ _id }: { _id: string }): Promise<IEmailInbox | null> => {
 	return EmailInbox.findOneById(_id);
 };
 export const insertOneEmailInbox = async (
@@ -62,12 +53,11 @@ export const insertOneEmailInbox = async (
 };
 
 export const updateEmailInbox = async (
-	userId: string,
 	emailInboxParams: Pick<IEmailInbox, '_id' | 'active' | 'name' | 'email' | 'description' | 'senderInfo' | 'department' | 'smtp' | 'imap'>,
 ): Promise<InsertOneResult<WithId<IEmailInbox>> | UpdateResult> => {
 	const { _id, active, name, email, description, senderInfo, department, smtp, imap } = emailInboxParams;
 
-	const emailInbox = await findOneEmailInbox({ userId, _id });
+	const emailInbox = await findOneEmailInbox({ _id });
 
 	if (!emailInbox) {
 		throw new Error('error-invalid-email-inbox');
@@ -90,10 +80,3 @@ export const updateEmailInbox = async (
 
 	return EmailInbox.updateOne({ _id }, updateEmailInbox);
 };
-
-export const findOneEmailInboxByEmail = async ({ userId, email }: { userId: string; email: string }): Promise<IEmailInbox | null> => {
-	if (!(await hasPermissionAsync(userId, 'manage-email-inbox'))) {
-		throw new Error('error-not-allowed');
-	}
-	return EmailInbox.findOne({ email });
-};
@@ -1,28 +1,24 @@
 import { escapeRegExp } from '@rocket.chat/string-helpers';
 import type { IUser } from '@rocket.chat/core-typings';
 import type { Filter } from 'mongodb';
-import { Users } from '@rocket.chat/models';
+import { Users, Subscriptions } from '@rocket.chat/models';
 import type { Mongo } from 'meteor/mongo';
 
 import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
+import { settings } from '../../../settings/server';
 
 type UserAutoComplete = Required<Pick<IUser, '_id' | 'name' | 'username' | 'nickname' | 'status' | 'avatarETag'>>;
+
 export async function findUsersToAutocomplete({
 	uid,
 	selector,
 }: {
 	uid: string;
-	selector: {
-		exceptions: string[];
-		conditions: Filter<IUser>;
-		term: string;
-	};
+	selector: { exceptions: Required<IUser>['username'][]; conditions: Filter<IUser>; term: string };
 }): Promise<{
 	items: UserAutoComplete[];
 }> {
-	if (!(await hasPermissionAsync(uid, 'view-outside-room'))) {
-		return { items: [] };
-	}
+	const searchFields = settings.get<string>('Accounts_SearchFields').trim().split(',');
 	const exceptions = selector.exceptions || [];
 	const conditions = selector.conditions || {};
 	const options = {
@@ -39,6 +35,20 @@ export async function findUsersToAutocomplete({
 		limit: 10,
 	};
 
+	// Search on DMs first, to list known users before others.
+	const contacts = await Subscriptions.findConnectedUsersExcept(uid, selector.term, exceptions, searchFields, conditions, 10, 'd');
+	if (contacts.length >= options.limit) {
+		return { items: contacts as UserAutoComplete[] };
+	}
+
+	options.limit -= contacts.length;
+	contacts.forEach(({ username }) => exceptions.push(username));
+
+	if (!(await hasPermissionAsync(uid, 'view-outside-room'))) {
+		const users = await Subscriptions.findConnectedUsersExcept(uid, selector.term, exceptions, searchFields, conditions, 10);
+		return { items: contacts.concat(users) as UserAutoComplete[] };
+	}
+
 	const users = await Users.findActiveByUsernameOrNameRegexWithExceptionsAndConditions<UserAutoComplete>(
 		new RegExp(escapeRegExp(selector.term), 'i'),
 		exceptions,
@@ -47,7 +57,7 @@ export async function findUsersToAutocomplete({
 	).toArray();
 
 	return {
-		items: users,
+		items: (contacts as UserAutoComplete[]).concat(users),
 	};
 }
 

@@ -3,18 +3,17 @@ import { EmailInbox } from '@rocket.chat/models';
 
 import { API } from '../api';
 import { insertOneEmailInbox, findEmailInboxes, findOneEmailInbox, updateEmailInbox } from '../lib/emailInbox';
-import { hasPermission } from '../../../authorization/server/functions/hasPermission';
 import Users from '../../../models/server/models/Users';
 import { sendTestEmailToInbox } from '../../../../server/features/EmailInbox/EmailInbox_Outgoing';
 
 API.v1.addRoute(
 	'email-inbox.list',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['manage-email-inbox'] },
 	{
 		async get() {
 			const { offset, count } = this.getPaginationItems();
 			const { sort, query } = this.parseJsonQuery();
-			const emailInboxes = await findEmailInboxes({ userId: this.userId, query, pagination: { offset, count, sort } });
+			const emailInboxes = await findEmailInboxes({ query, pagination: { offset, count, sort } });
 
 			return API.v1.success(emailInboxes);
 		},
@@ -23,13 +22,9 @@ API.v1.addRoute(
 
 API.v1.addRoute(
 	'email-inbox',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['manage-email-inbox'] },
 	{
 		async post() {
-			if (!hasPermission(this.userId, 'manage-email-inbox')) {
-				throw new Error('error-not-allowed');
-			}
-
 			check(this.bodyParams, {
 				_id: Match.Maybe(String),
 				active: Boolean,
@@ -64,7 +59,7 @@ API.v1.addRoute(
 				_id = emailInbox.insertedId.toString();
 			} else {
 				_id = emailInboxParams._id;
-				await updateEmailInbox(this.userId, { ...emailInboxParams, _id });
+				await updateEmailInbox({ ...emailInboxParams, _id });
 			}
 			return API.v1.success({ _id });
 		},
@@ -73,7 +68,7 @@ API.v1.addRoute(
 
 API.v1.addRoute(
 	'email-inbox/:_id',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['manage-email-inbox'] },
 	{
 		async get() {
 			check(this.urlParams, {
@@ -84,15 +79,11 @@ API.v1.addRoute(
 			if (!_id) {
 				throw new Error('error-invalid-param');
 			}
-			// TODO: Chapter day backend - check if user has permission to view this email inbox instead of null values
-			const emailInboxes = await findOneEmailInbox({ userId: this.userId, _id });
+			const emailInboxes = await findOneEmailInbox({ _id });
 
 			return API.v1.success(emailInboxes);
 		},
 		async delete() {
-			if (!hasPermission(this.userId, 'manage-email-inbox')) {
-				throw new Error('error-not-allowed');
-			}
 			check(this.urlParams, {
 				_id: String,
 			});
@@ -103,7 +94,6 @@ API.v1.addRoute(
 			}
 
 			const emailInboxes = await EmailInbox.findOneById(_id);
-
 			if (!emailInboxes) {
 				return API.v1.notFound();
 			}
@@ -115,12 +105,9 @@ API.v1.addRoute(
 
 API.v1.addRoute(
 	'email-inbox.search',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['manage-email-inbox'] },
 	{
 		async get() {
-			if (!hasPermission(this.userId, 'manage-email-inbox')) {
-				throw new Error('error-not-allowed');
-			}
 			check(this.queryParams, {
 				email: String,
 			});
@@ -138,12 +125,9 @@ API.v1.addRoute(
 
 API.v1.addRoute(
 	'email-inbox.send-test/:_id',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['manage-email-inbox'] },
 	{
 		async post() {
-			if (!hasPermission(this.userId, 'manage-email-inbox')) {
-				throw new Error('error-not-allowed');
-			}
 			check(this.urlParams, {
 				_id: String,
 			});
@@ -152,7 +136,7 @@ API.v1.addRoute(
 			if (!_id) {
 				throw new Error('error-invalid-param');
 			}
-			const emailInbox = await findOneEmailInbox({ userId: this.userId, _id });
+			const emailInbox = await findOneEmailInbox({ _id });
 
 			if (!emailInbox) {
 				return API.v1.notFound();

@@ -18,6 +18,7 @@ import { Match, check } from 'meteor/check';
 import { TAPi18n } from 'meteor/rocketchat:tap-i18n';
 import type { IExportOperation, IPersonalAccessToken, IUser } from '@rocket.chat/core-typings';
 import { Users as UsersRaw } from '@rocket.chat/models';
+import type { Filter } from 'mongodb';
 
 import { Users, Subscriptions } from '../../../models/server';
 import { hasPermission } from '../../../authorization/server';
@@ -39,9 +40,9 @@ import { resetUserE2EEncriptionKey } from '../../../../server/lib/resetUserE2EKe
 import { resetTOTP } from '../../../2fa/server/functions/resetTOTP';
 import { Team } from '../../../../server/sdk';
 import { isValidQuery } from '../lib/isValidQuery';
-import { setUserStatus } from '../../../../imports/users-presence/server/activeUsers';
 import { getURL } from '../../../utils/server';
 import { getUploadFormData } from '../lib/getUploadFormData';
+import { api } from '../../../../server/sdk/api';
 
 API.v1.addRoute(
 	'users.getAvatar',
@@ -815,11 +816,22 @@ API.v1.addRoute(
 	{ authRequired: true, validateParams: isUsersAutocompleteProps },
 	{
 		async get() {
-			const { selector } = this.queryParams;
+			const { selector: selectorRaw } = this.queryParams;
+
+			const selector: { exceptions: Required<IUser>['username'][]; conditions: Filter<IUser>; term: string } = JSON.parse(selectorRaw);
+
+			try {
+				if (selector?.conditions && !isValidQuery(selector.conditions, ['*'], ['$or', '$and'])) {
+					throw new Error('error-invalid-query');
+				}
+			} catch (e) {
+				return API.v1.failure(e);
+			}
+
 			return API.v1.success(
 				await findUsersToAutocomplete({
 					uid: this.userId,
-					selector: JSON.parse(selector),
+					selector,
 				}),
 			);
 		},
@@ -1031,7 +1043,11 @@ API.v1.addRoute(
 							},
 						});
 
-						setUserStatus(user, status);
+						const { _id, username, statusText, roles, name } = user;
+						api.broadcast('presence.status', {
+							user: { status, _id, username, statusText, roles, name },
+							previousStatus: user.status,
+						});
 					} else {
 						throw new Meteor.Error('error-invalid-status', 'Valid status types include online, away, offline, and busy.', {
 							method: 'users.setStatus',

@@ -8,7 +8,7 @@ import { canAccessRoom } from '../../../../authorization/server';
 
 API.v1.addRoute(
 	'voip/events',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['view-l-room'] },
 	{
 		async post() {
 			check(this.requestParams(), {

@@ -3,7 +3,6 @@ import type { IUser, IVoipExtensionWithAgentInfo } from '@rocket.chat/core-typin
 import { Users } from '@rocket.chat/models';
 
 import { API } from '../../api';
-import { hasPermission } from '../../../../authorization/server/index';
 import { LivechatVoip } from '../../../../../server/sdk';
 import { logger } from './logger';
 
@@ -31,12 +30,9 @@ const isUserIdndTypeParams = (p: any): p is { userId: string; type: 'free' | 'al
 
 API.v1.addRoute(
 	'omnichannel/agent/extension',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['manage-agent-extension-association'] },
 	{
 		async post() {
-			if (!hasPermission(this.userId, 'manage-agent-extension-association')) {
-				return API.v1.unauthorized();
-			}
 			check(
 				this.bodyParams,
 				Match.OneOf(
@@ -94,13 +90,16 @@ API.v1.addRoute(
 
 API.v1.addRoute(
 	'omnichannel/agent/extension/:username',
-	{ authRequired: true },
+	{
+		authRequired: true,
+		permissionsRequired: {
+			GET: ['view-agent-extension-association'],
+			DELETE: ['manage-agent-extension-association'],
+		},
+	},
 	{
 		// Get the extensions associated with the agent passed as request params.
 		async get() {
-			if (!hasPermission(this.userId, 'view-agent-extension-association')) {
-				return API.v1.unauthorized();
-			}
 			check(
 				this.urlParams,
 				Match.ObjectIncluding({
@@ -128,9 +127,6 @@ API.v1.addRoute(
 		},
 
 		async delete() {
-			if (!hasPermission(this.userId, 'manage-agent-extension-association')) {
-				return API.v1.unauthorized();
-			}
 			check(
 				this.urlParams,
 				Match.ObjectIncluding({