From a0bdecb89e196e69e727512d38af074402d191c6 Mon Sep 17 00:00:00 2001 From: Guilherme Gazzo Date: Tue, 19 Nov 2024 15:16:02 -0300 Subject: [PATCH] fix: `resetIrcConnection` not requiring user logged (#33994) --- .changeset/tricky-trees-destroy.md | 4 ++++ .../app/irc/server/methods/resetIrcConnection.ts | 11 +++++++++++ 2 files changed, 15 insertions(+) create mode 100644 .changeset/tricky-trees-destroy.md diff --git a/.changeset/tricky-trees-destroy.md b/.changeset/tricky-trees-destroy.md new file mode 100644 index 000000000000..3d43cc5b571a --- /dev/null +++ b/.changeset/tricky-trees-destroy.md @@ -0,0 +1,4 @@ +--- +"@rocket.chat/meteor": patch +--- +Adds login and permission validation for resetIrcConnection method diff --git a/apps/meteor/app/irc/server/methods/resetIrcConnection.ts b/apps/meteor/app/irc/server/methods/resetIrcConnection.ts index aaaeef1c06b8..a42cd80667b4 100644 --- a/apps/meteor/app/irc/server/methods/resetIrcConnection.ts +++ b/apps/meteor/app/irc/server/methods/resetIrcConnection.ts @@ -2,6 +2,7 @@ import type { ServerMethods } from '@rocket.chat/ddp-client'; import { Settings } from '@rocket.chat/models'; import { Meteor } from 'meteor/meteor'; +import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission'; import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener'; import { settings } from '../../../settings/server'; import Bridge from '../irc-bridge'; @@ -16,8 +17,18 @@ declare module '@rocket.chat/ddp-client' { Meteor.methods({ async resetIrcConnection() { const ircEnabled = Boolean(settings.get('IRC_Enabled')); + const uid = Meteor.userId(); + + if (!uid) { + throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'resetIrcConnection' }); + } + + if (!(await hasPermissionAsync(uid, 'edit-privileged-setting'))) { + throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'resetIrcConnection' }); + } const updatedLastPingValue = await Settings.updateValueById('IRC_Bridge_Last_Ping', new Date(0), { upsert: true }); + if (updatedLastPingValue.modifiedCount || updatedLastPingValue.upsertedCount) { void notifyOnSettingChangedById('IRC_Bridge_Last_Ping'); }