RocketChat · sampaiodiego · Mar 8, 2023 · Mar 8, 2023 · Mar 8, 2023
@@ -98149,6 +98149,109 @@
           ]
         }
       ]
+    },
+    "5.2.2": {
+      "node_version": "14.19.3",
+      "npm_version": "6.14.17",
+      "mongo_versions": [
+        "4.2",
+        "4.4",
+        "5.0"
+      ],
+      "pull_requests": [
+        {
+          "pr": "27745",
+          "title": "[IMPROVE] Emoji picker for large amount of custom emojis",
+          "userLogin": "sampaiodiego",
+          "milestone": "5.2.2",
+          "contributors": [
+            "sampaiodiego",
+            "web-flow",
+            "kodiakhq[bot]"
+          ]
+        }
+      ]
+    },
+    "5.3.6": {
+      "node_version": "14.19.3",
+      "npm_version": "6.14.17",
+      "mongo_versions": [
+        "4.2",
+        "4.4",
+        "5.0"
+      ],
+      "pull_requests": [
+        {
+          "pr": "27816",
+          "title": "[FIX] Not all messages in chat conversations are available when forwarding between agents or departments.",
+          "userLogin": "filipemarins",
+          "milestone": "5.3.6",
+          "contributors": [
+            "filipemarins",
+            "kodiakhq[bot]",
+            "web-flow"
+          ]
+        },
+        {
+          "pr": "27745",
+          "title": "[IMPROVE] Emoji picker for large amount of custom emojis",
+          "userLogin": "sampaiodiego",
+          "milestone": "5.2.2",
+          "contributors": [
+            "sampaiodiego",
+            "web-flow",
+            "kodiakhq[bot]"
+          ]
+        }
+      ]
+    },
+    "5.4.3": {
+      "node_version": "14.19.3",
+      "npm_version": "6.14.17",
+      "mongo_versions": [
+        "4.2",
+        "4.4",
+        "5.0"
+      ],
+      "pull_requests": [
+        {
+          "pr": "28028",
+          "title": "Release 5.4.3",
+          "userLogin": "ggazzo",
+          "contributors": [
+            "ggazzo",
+            "web-flow",
+            "sampaiodiego"
+          ]
+        },
+        {
+          "pr": "27874",
+          "title": "Chore: Do not rely on external service on tests",
+          "userLogin": "sampaiodiego",
+          "contributors": [
+            "sampaiodiego"
+          ]
+        }
+      ]
+    },
+    "5.4.4": {
+      "node_version": "14.19.3",
+      "npm_version": "6.14.17",
+      "mongo_versions": [
+        "4.2",
+        "4.4",
+        "5.0"
+      ],
+      "pull_requests": [
+        {
+          "pr": "28319",
+          "title": "Chore: New temporary settings to limit access to files and outside room members",
+          "userLogin": "rodrigok",
+          "contributors": [
+            "rodrigok"
+          ]
+        }
+      ]
     }
   },
   "5.4.0-rc.0": {
@@ -100094,4 +100197,4 @@
       }
     ]
   }
-}
+}
diff --git a/HISTORY.md b/HISTORY.md
diff --git a/apps/meteor/.docker/Dockerfile.rhel b/apps/meteor/.docker/Dockerfile.rhel
@@ -1,6 +1,6 @@
 FROM registry.access.redhat.com/ubi8/nodejs-12
 
-ENV RC_VERSION 5.4.3
+ENV RC_VERSION 5.4.4
 
 MAINTAINER buildmaster@rocket.chat
 

@@ -31,5 +31,12 @@ settingsRegistry.addGroup('General', function () {
 			type: 'boolean',
 			public: true,
 		});
+
+		// Should enforce the permission on next Major and remove this setting
+		this.add('API_Apply_permission_view-outside-room_on_users-list', false, {
+			type: 'boolean',
+			public: true,
+			alert: 'This_is_a_deprecated_feature_alert',
+		});
 	});
 });
@@ -413,6 +413,10 @@ API.v1.addRoute(
 				return API.v1.unauthorized();
 			}
 
+			if (settings.get('API_Apply_permission_view-outside-room_on_users-list') && !hasPermission(this.userId, 'view-outside-room')) {
+				return API.v1.unauthorized();
+			}
+
 			const { offset, count } = this.getPaginationItems();
 			const { sort, fields, query } = this.parseJsonQuery();
 

@@ -17,6 +17,7 @@ import { Avatars, UserDataFiles, Uploads, Settings } from '@rocket.chat/models';
 import { settings } from '../../../settings/server';
 import Users from '../../../models/server/models/Users';
 import Rooms from '../../../models/server/models/Rooms';
+import Subscriptions from '../../../models/server/models/Subscriptions';
 import { mime } from '../../../utils/lib/mimeTypes';
 import { hasPermission } from '../../../authorization/server/functions/hasPermission';
 import { canAccessRoom } from '../../../authorization/server/functions/canAccessRoom';
@@ -431,7 +432,7 @@ export const FileUpload = {
 		// console.log('upload finished ->', file);
 	},
 
-	requestCanAccessFiles({ headers = {}, query = {} }) {
+	requestCanAccessFiles({ headers = {}, query = {} }, file) {
 		if (!settings.get('FileUpload_ProtectFiles')) {
 			return true;
 		}
@@ -446,16 +447,37 @@ export const FileUpload = {
 			rc_room_type = cookie.get('rc_room_type', headers.cookie);
 		}
 
-		const isAuthorizedByCookies = rc_uid && rc_token && Users.findOneByIdAndLoginToken(rc_uid, rc_token);
-		const isAuthorizedByHeaders =
-			headers['x-user-id'] && headers['x-auth-token'] && Users.findOneByIdAndLoginToken(headers['x-user-id'], headers['x-auth-token']);
-		const isAuthorizedByRoom =
+		const isAuthorizedByRoom = () =>
 			rc_room_type && roomCoordinator.getRoomDirectives(rc_room_type)?.canAccessUploadedFile({ rc_uid, rc_rid, rc_token });
-		const isAuthorizedByJWT =
+		const isAuthorizedByJWT = () =>
 			settings.get('FileUpload_Enable_json_web_token_for_files') &&
 			token &&
 			isValidJWT(token, settings.get('FileUpload_json_web_token_secret_for_files'));
-		return isAuthorizedByCookies || isAuthorizedByHeaders || isAuthorizedByRoom || isAuthorizedByJWT;
+
+		if (isAuthorizedByRoom() || isAuthorizedByJWT()) {
+			return true;
+		}
+
+		const uid = rc_uid || headers['x-user-id'];
+		const authToken = rc_token || headers['x-auth-token'];
+
+		const user = uid && authToken && Users.findOneByIdAndLoginToken(uid, authToken, { fields: { _id: 1 } });
+
+		if (!user) {
+			return false;
+		}
+
+		if (!settings.get('FileUpload_Restrict_to_room_members') || !file?.rid) {
+			return true;
+		}
+
+		const subscription = Subscriptions.findOneByRoomIdAndUserId(file.rid, user._id, { fields: { _id: 1 } });
+
+		if (subscription) {
+			return true;
+		}
+
+		return false;
 	},
 	addExtensionTo(file) {
 		if (mime.lookup(file.name) === file.type) {

@@ -10,7 +10,7 @@ WebApp.connectHandlers.use(FileUpload.getPath(), async function (req, res, next)
 		const file = await Uploads.findOneById(match[1]);
 
 		if (file) {
-			if (!FileUpload.requestCanAccessFiles(req)) {
+			if (!FileUpload.requestCanAccessFiles(req, file)) {
 				res.writeHead(403);
 				return res.end();
 			}

@@ -30,6 +30,14 @@ settingsRegistry.addGroup('FileUpload', function () {
 		i18nDescription: 'FileUpload_ProtectFilesDescription',
 	});
 
+	this.add('FileUpload_Restrict_to_room_members', false, {
+		type: 'boolean',
+		enableQuery: {
+			_id: 'FileUpload_ProtectFiles',
+			value: true,
+		},
+	});
+
 	this.add('FileUpload_RotateImages', true, {
 		type: 'boolean',
 		public: true,

diff --git a/apps/meteor/app/utils/rocketchat.info b/apps/meteor/app/utils/rocketchat.info
@@ -1,3 +1,3 @@
 {
-	"version": "5.4.3"
+	"version": "5.4.4"
 }
diff --git a/apps/meteor/package.json b/apps/meteor/package.json
@@ -1,7 +1,7 @@
 {
 	"name": "@rocket.chat/meteor",
 	"description": "The Ultimate Open Source WebChat Platform",
-	"version": "5.4.3",
+	"version": "5.4.4",
 	"private": true,
 	"author": {
 		"name": "Rocket.Chat",

diff --git a/apps/meteor/packages/rocketchat-i18n/i18n/en.i18n.json b/apps/meteor/packages/rocketchat-i18n/i18n/en.i18n.json
@@ -392,6 +392,8 @@
   "API_Allow_Infinite_Count_Description": "Should calls to the REST API be allowed to return everything in one call?",
   "API_Analytics": "Analytics",
   "API_CORS_Origin": "CORS Origin",
+  "API_Apply_permission_view-outside-room_on_users-list": "Apply permission `view-outside-room` to api `users.list`",
+  "API_Apply_permission_view-outside-room_on_users-list_Description": "Temporary setting to enforce permission. Will be removed on next Major release within the change to always enforce the permission",
   "API_Default_Count": "Default Count",
   "API_Default_Count_Description": "The default count for REST API results if the consumer did not provided any.",
   "API_Drupal_URL": "Drupal Server URL",
@@ -2175,6 +2177,8 @@
   "FileUpload_Disabled": "File uploads are disabled.",
   "FileUpload_Enable_json_web_token_for_files": "Enable Json Web Tokens protection to file uploads",
   "FileUpload_Enable_json_web_token_for_files_description": "Appends a JWT to uploaded files urls",
+  "FileUpload_Restrict_to_room_members": "Restrict files to rooms' members",
+  "FileUpload_Restrict_to_room_members_Description": "Restrict the access of files uploaded on rooms to the rooms' members only",
   "FileUpload_Enabled": "File Uploads Enabled",
   "FileUpload_Enabled_Direct": "File Uploads Enabled in Direct Messages ",
   "FileUpload_Error": "File Upload Error",

@@ -634,6 +634,22 @@ describe('[Users]', function () {
 	});
 
 	describe('[/users.list]', () => {
+		let user2;
+		let user2Credentials;
+
+		before(async () => {
+			user2 = await createTestUser();
+			user2Credentials = await loginTestUser(user2);
+		});
+
+		after(async () => {
+			await deleteTestUser(user2);
+			user2 = undefined;
+
+			await updatePermission('view-outside-room', ['admin', 'owner', 'moderator', 'user']);
+			await updateSetting('API_Apply_permission_view-outside-room_on_users-list', false);
+		});
+
 		it('should query all users in the system', (done) => {
 			request
 				.get(api('users.list'))
@@ -670,6 +686,27 @@ describe('[Users]', function () {
 				})
 				.end(done);
 		});
+
+		it('should query all users in the system when logged as normal user and `view-outside-room` not granted', async () => {
+			await updatePermission('view-outside-room', ['admin']);
+			await request
+				.get(api('users.list'))
+				.set(user2Credentials)
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('count');
+					expect(res.body).to.have.property('total');
+				});
+		});
+
+		it('should not query users when logged as normal user, `view-outside-room` not granted and temp setting enabled', async () => {
+			await updatePermission('view-outside-room', ['admin']);
+			await updateSetting('API_Apply_permission_view-outside-room_on_users-list', true);
+
+			await request.get(api('users.list')).set(user2Credentials).expect('Content-Type', 'application/json').expect(403);
+		});
 	});
 
 	describe('[/users.setAvatar]', () => {