feat!: Add permissions to create rooms in teams

.changeset/gentle-kings-greet.md

@@ -0,0 +1,11 @@
+---
+"@rocket.chat/meteor": major
+---
+
+Adds a new set of permissions to provide a more granular control for the creation and deletion of rooms within teams
+ - `create-team-channel`: controls the creations of public rooms within teams, it is checked within the team's main room scope and overrides the global `create-c` permission check. That is, granting this permission to a role allows users to create channels in teams even if they do not have the permission to create channels globally;
+ - `create-team-group`: controls the creations of private rooms within teams, it is checked within the team's main room scope and overrides the global `create-p` permission check. That is, granting this permission to a role allows users to create groups in teams even if they do not have the permission to create groups globally;
+ - `delete-team-channel`: controls the deletion of public rooms within teams, it is checked within the team's main room scope and complements the global `delete-c` permission check. That is, users must have both permissions (`delete-c` in the channel scope and `delete-team-channel` in its team scope) in order to be able to delete a channel in a team;
+ - `delete-team-group`: controls the deletion of private rooms within teams, it is checked within the team's main room scope and complements the global `delete-p` permission check. That is, users must have both permissions (`delete-p` in the group scope and `delete-team-group` in its team scope) in order to be able to delete a group in a team;;
+
+Renames `add-team-channel` permission (used for adding existing rooms to teams) to `move-room-to-team`, since it is applied to groups and channels.

apps/meteor/app/api/server/api.ts

@@ -1021,6 +1021,7 @@ export const API: {
 				members?: { key: string; value?: string[] };
 				customFields?: { key: string; value?: string };
 				teams?: { key: string; value?: string[] };
+				teamId?: { key: string; value?: string };
 			}) => Promise<void>;
 			execute: (
 				userId: string,

apps/meteor/app/api/server/v1/channels.ts

@@ -643,8 +643,15 @@ async function createChannelValidator(params: {
 	members?: { key: string; value?: string[] };
 	customFields?: { key: string; value?: string };
 	teams?: { key: string; value?: string[] };
+	teamId?: { key: string; value?: string };
 }) {
-	if (!(await hasPermissionAsync(params.user.value, 'create-c'))) {
+	const teamId = params.teamId?.value;
+
+	const team = teamId && (await Team.getInfoById(teamId));
+	if (
+		(!teamId && !(await hasPermissionAsync(params.user.value, 'create-c'))) ||
+		(teamId && team && !(await hasPermissionAsync(params.user.value, 'create-team-channel', team.roomId)))
+	) {
 		throw new Error('unauthorized');
 	}
 
@@ -725,6 +732,10 @@ API.v1.addRoute(
 						value: bodyParams.teams,
 						key: 'teams',
 					},
+					teamId: {
+						value: bodyParams.extraData?.teamId,
+						key: 'teamId',
+					},
 				});
 			} catch (e: any) {
 				if (e.message === 'unauthorized') {

apps/meteor/app/api/server/v1/teams.ts

@@ -173,7 +173,7 @@ API.v1.addRoute(
 				return API.v1.failure('team-does-not-exist');
 			}
 
-			if (!(await hasPermissionAsync(this.userId, 'add-team-channel', team.roomId))) {
+			if (!(await hasPermissionAsync(this.userId, 'move-room-to-team', team.roomId))) {
 				return API.v1.unauthorized('error-no-permission-team-channel');
 			}
 

apps/meteor/app/authorization/server/constant/permissions.ts

@@ -193,7 +193,11 @@ export const permissions = [
 	{ _id: 'edit-team', roles: ['admin', 'owner'] },
 	{ _id: 'add-team-member', roles: ['admin', 'owner', 'moderator'] },
 	{ _id: 'edit-team-member', roles: ['admin', 'owner', 'moderator'] },
-	{ _id: 'add-team-channel', roles: ['admin', 'owner', 'moderator'] },
+	{ _id: 'move-room-to-team', roles: ['admin', 'owner', 'moderator'] },
+	{ _id: 'create-team-channel', roles: ['admin', 'owner', 'moderator'] },
+	{ _id: 'create-team-group', roles: ['admin', 'owner', 'moderator'] },
+	{ _id: 'delete-team-channel', roles: ['admin', 'owner', 'moderator'] },
+	{ _id: 'delete-team-group', roles: ['admin', 'owner', 'moderator'] },
 	{ _id: 'edit-team-channel', roles: ['admin', 'owner', 'moderator'] },
 	{ _id: 'remove-team-channel', roles: ['admin', 'owner', 'moderator'] },
 	{ _id: 'view-all-team-channels', roles: ['admin', 'owner'] },

apps/meteor/app/channel-settings/server/methods/saveRoomSettings.ts

@@ -102,19 +102,38 @@ const validators: RoomSettingsValidators = {
 			return;
 		}
 
-		if (value === 'c' && !(await hasPermissionAsync(userId, 'create-c'))) {
+		if (value === 'c' && !room.teamId && !(await hasPermissionAsync(userId, 'create-c'))) {
 			throw new Meteor.Error('error-action-not-allowed', 'Changing a private group to a public channel is not allowed', {
 				method: 'saveRoomSettings',
 				action: 'Change_Room_Type',
 			});
 		}
 
-		if (value === 'p' && !(await hasPermissionAsync(userId, 'create-p'))) {
+		if (value === 'p' && !room.teamId && !(await hasPermissionAsync(userId, 'create-p'))) {
 			throw new Meteor.Error('error-action-not-allowed', 'Changing a public channel to a private room is not allowed', {
 				method: 'saveRoomSettings',
 				action: 'Change_Room_Type',
 			});
 		}
+
+		if (!room.teamId) {
+			return;
+		}
+		const team = await Team.getInfoById(room.teamId);
+
+		if (value === 'c' && !(await hasPermissionAsync(userId, 'create-team-channel', team?.roomId))) {
+			throw new Meteor.Error('error-action-not-allowed', `Changing a team's private group to a public channel is not allowed`, {
+				method: 'saveRoomSettings',
+				action: 'Change_Room_Type',
+			});
+		}
+
+		if (value === 'p' && !(await hasPermissionAsync(userId, 'create-team-group', team?.roomId))) {
+			throw new Meteor.Error('error-action-not-allowed', `Changing a team's public channel to a private room is not allowed`, {
+				method: 'saveRoomSettings',
+				action: 'Change_Room_Type',
+			});
+		}
 	},
 	async encrypted({ userId, value, room, rid }) {
 		if (value !== room.encrypted) {

apps/meteor/app/lib/server/methods/createChannel.ts

@@ -1,6 +1,6 @@
-import type { ICreatedRoom } from '@rocket.chat/core-typings';
+import type { ICreatedRoom, ITeam } from '@rocket.chat/core-typings';
 import type { ServerMethods } from '@rocket.chat/ddp-client';
-import { Users } from '@rocket.chat/models';
+import { Users, Team } from '@rocket.chat/models';
 import { Match, check } from 'meteor/check';
 import { Meteor } from 'meteor/meteor';
 
@@ -40,9 +40,18 @@ export const createChannelMethod = async (
 		throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'createChannel' });
 	}
 
-	if (!(await hasPermissionAsync(userId, 'create-c'))) {
+	if (extraData.teamId) {
+		const team = await Team.findOneById<Pick<ITeam, '_id' | 'roomId'>>(extraData.teamId, { projection: { roomId: 1 } });
+		if (!team) {
+			throw new Meteor.Error('error-team-not-found', 'The "teamId" param provided does not match any team', { method: 'createChannel' });
+		}
+		if (!(await hasPermissionAsync(userId, 'create-team-channel', team.roomId))) {
+			throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'createChannel' });
+		}
+	} else if (!(await hasPermissionAsync(userId, 'create-c'))) {
 		throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'createChannel' });
 	}
+
 	return createRoom('c', name, user, members, excludeSelf, readOnly, {
 		customFields,
 		...extraData,

apps/meteor/app/lib/server/methods/createPrivateGroup.ts

@@ -1,6 +1,6 @@
-import type { ICreatedRoom, IUser } from '@rocket.chat/core-typings';
+import type { ICreatedRoom, IUser, ITeam } from '@rocket.chat/core-typings';
 import type { ServerMethods } from '@rocket.chat/ddp-client';
-import { Users } from '@rocket.chat/models';
+import { Users, Team } from '@rocket.chat/models';
 import { Match, check } from 'meteor/check';
 import { Meteor } from 'meteor/meteor';
 
@@ -25,8 +25,8 @@ export const createPrivateGroupMethod = async (
 	name: string,
 	members: string[],
 	readOnly = false,
-	customFields = {},
-	extraData = {},
+	customFields: Record<string, any> = {},
+	extraData: Record<string, any> = {},
 	excludeSelf = false,
 ): Promise<
 	ICreatedRoom & {
@@ -36,7 +36,17 @@ export const createPrivateGroupMethod = async (
 	check(name, String);
 	check(members, Match.Optional([String]));
 
-	if (!(await hasPermissionAsync(user._id, 'create-p'))) {
+	if (extraData.teamId) {
+		const team = await Team.findOneById<Pick<ITeam, '_id' | 'roomId'>>(extraData.teamId, { projection: { roomId: 1 } });
+		if (!team) {
+			throw new Meteor.Error('error-team-not-found', 'The "teamId" param provided does not match any team', {
+				method: 'createPrivateGroup',
+			});
+		}
+		if (!(await hasPermissionAsync(user._id, 'create-team-group', team.roomId))) {
+			throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'createPrivateGroup' });
+		}
+	} else if (!(await hasPermissionAsync(user._id, 'create-p'))) {
 		throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'createPrivateGroup' });
 	}
 

apps/meteor/client/sidebar/header/CreateChannel/CreateChannelModal.tsx

@@ -1,3 +1,4 @@
+import type { IRoom } from '@rocket.chat/core-typings';
 import {
 	Box,
 	Modal,
@@ -36,6 +37,7 @@ import { useEncryptedRoomDescription } from '../hooks/useEncryptedRoomDescriptio
 
 type CreateChannelModalProps = {
 	teamId?: string;
+	mainRoom?: IRoom;
 	onClose: () => void;
 	reload?: () => void;
 };
@@ -61,7 +63,7 @@ const getFederationHintKey = (licenseModule: ReturnType<typeof useHasLicenseModu
 	return 'Federation_Matrix_Federated_Description';
 };
 
-const CreateChannelModal = ({ teamId = '', onClose, reload }: CreateChannelModalProps): ReactElement => {
+const CreateChannelModal = ({ teamId = '', mainRoom, onClose, reload }: CreateChannelModalProps): ReactElement => {
 	const t = useTranslation();
 	const canSetReadOnly = usePermissionWithScopedRoles('set-readonly', ['owner']);
 	const e2eEnabled = useSetting('E2E_Enable');
@@ -71,7 +73,7 @@ const CreateChannelModal = ({ teamId = '', onClose, reload }: CreateChannelModal
 	const e2eEnabledForPrivateByDefault = useSetting('E2E_Enabled_Default_PrivateRooms') && e2eEnabled;
 
 	const canCreateChannel = usePermission('create-c');
-	const canCreatePrivateChannel = usePermission('create-p');
+	const canCreateGroup = usePermission('create-p');
 	const getEncryptedHint = useEncryptedRoomDescription('channel');
 
 	const channelNameRegex = useMemo(() => new RegExp(`^${namesValidation}$`), [namesValidation]);
@@ -82,17 +84,20 @@ const CreateChannelModal = ({ teamId = '', onClose, reload }: CreateChannelModal
 	const createChannel = useEndpoint('POST', '/v1/channels.create');
 	const createPrivateChannel = useEndpoint('POST', '/v1/groups.create');
 
+	const canCreateTeamChannel = usePermission('create-team-channel', mainRoom?._id);
+	const canCreateTeamGroup = usePermission('create-team-group', mainRoom?._id);
+
 	const dispatchToastMessage = useToastMessageDispatch();
 
 	const canOnlyCreateOneType = useMemo(() => {
-		if (!canCreateChannel && canCreatePrivateChannel) {
+		if ((!teamId && !canCreateChannel && canCreateGroup) || (teamId && !canCreateTeamChannel && canCreateTeamGroup)) {
 			return 'p';
 		}
-		if (canCreateChannel && !canCreatePrivateChannel) {
+		if ((!teamId && canCreateChannel && !canCreateGroup) || (teamId && canCreateTeamChannel && !canCreateTeamGroup)) {
 			return 'c';
 		}
 		return false;
-	}, [canCreateChannel, canCreatePrivateChannel]);
+	}, [canCreateChannel, canCreateGroup, canCreateTeamChannel, canCreateTeamGroup, teamId]);
 
 	const {
 		register,
@@ -267,7 +272,7 @@ const CreateChannelModal = ({ teamId = '', onClose, reload }: CreateChannelModal
 										id={privateId}
 										aria-describedby={`${privateId}-hint`}
 										ref={ref}
-										checked={value}
+										checked={canOnlyCreateOneType ? canOnlyCreateOneType === 'p' : value}
 										disabled={!!canOnlyCreateOneType}
 										onChange={onChange}
 									/>

apps/meteor/client/views/hooks/roomActions/useDeleteRoom.tsx

@@ -2,7 +2,7 @@ import type { IRoom, RoomAdminFieldsType } from '@rocket.chat/core-typings';
 import { isRoomFederated } from '@rocket.chat/core-typings';
 import { useMutableCallback } from '@rocket.chat/fuselage-hooks';
 import { useSetModal, useToastMessageDispatch, useRouter, usePermission, useEndpoint, useTranslation } from '@rocket.chat/ui-contexts';
-import { useMutation } from '@tanstack/react-query';
+import { useMutation, useQuery } from '@tanstack/react-query';
 import React from 'react';
 
 import GenericModal from '../../../components/GenericModal';
@@ -13,14 +13,25 @@ export const useDeleteRoom = (room: IRoom | Pick<IRoom, RoomAdminFieldsType>, {
 	const router = useRouter();
 	const setModal = useSetModal();
 	const dispatchToastMessage = useToastMessageDispatch();
-	const hasPermissionToDelete = usePermission(`delete-${room.t}`, room._id);
-	const canDeleteRoom = isRoomFederated(room) ? false : hasPermissionToDelete;
 	// eslint-disable-next-line no-nested-ternary
 	const roomType = 'prid' in room ? 'discussion' : room.teamId && room.teamMain ? 'team' : 'channel';
 	const isAdminRoute = router.getRouteName() === 'admin-rooms';
 
 	const deleteRoomEndpoint = useEndpoint('POST', '/v1/rooms.delete');
 	const deleteTeamEndpoint = useEndpoint('POST', '/v1/teams.delete');
+	const teamsInfoEndpoint = useEndpoint('GET', '/v1/teams.info');
+
+	const teamId = room.teamId || '';
+	const { data: teamInfoData } = useQuery(['teamId', teamId], async () => teamsInfoEndpoint({ teamId }), {
+		keepPreviousData: true,
+		retry: false,
+		enabled: room.teamId !== '',
+	});
+
+	const hasPermissionToDeleteRoom = usePermission(`delete-${room.t}`, room._id);
+	const hasPermissionToDeleteTeamRoom = usePermission(`delete-team-${room.t === 'c' ? 'channel' : 'group'}`, teamInfoData?.teamInfo.roomId);
+	const isTeamRoom = room.teamId;
+	const canDeleteRoom = isRoomFederated(room) ? false : hasPermissionToDeleteRoom && (!isTeamRoom || hasPermissionToDeleteTeamRoom);
 
 	const deleteRoomMutation = useMutation({
 		mutationFn: deleteRoomEndpoint,

apps/meteor/client/views/room/contextualBar/Info/EditRoomInfo/useEditRoomPermissions.ts

@@ -1,5 +1,6 @@
 import type { IRoom, IRoomWithRetentionPolicy } from '@rocket.chat/core-typings';
-import { usePermission, useAtLeastOnePermission, useRole } from '@rocket.chat/ui-contexts';
+import { usePermission, useAtLeastOnePermission, useRole, useEndpoint } from '@rocket.chat/ui-contexts';
+import { useQuery } from '@tanstack/react-query';
 import { useMemo } from 'react';
 
 import { E2EEState } from '../../../../../../app/e2e/client/E2EEState';
@@ -12,11 +13,28 @@ const getCanChangeType = (room: IRoom | IRoomWithRetentionPolicy, canCreateChann
 
 export const useEditRoomPermissions = (room: IRoom | IRoomWithRetentionPolicy) => {
 	const isAdmin = useRole('admin');
-	const canCreateChannel = usePermission('create-c');
-	const canCreateGroup = usePermission('create-p');
 	const e2eeState = useE2EEState();
 	const isE2EEReady = e2eeState === E2EEState.READY || e2eeState === E2EEState.SAVE_PASSWORD;
-	const canChangeType = getCanChangeType(room, canCreateChannel, canCreateGroup, isAdmin);
+	const canCreateChannel = usePermission('create-c');
+	const canCreateGroup = usePermission('create-p');
+	const teamsInfoEndpoint = useEndpoint('GET', '/v1/teams.info');
+
+	const teamId = room.teamId || '';
+	const { data: teamInfoData } = useQuery(['teamId', teamId], async () => teamsInfoEndpoint({ teamId }), {
+		keepPreviousData: true,
+		retry: false,
+		enabled: room.teamId !== '',
+	});
+
+	const canCreateTeamChannel = usePermission('create-team-channel', teamInfoData?.teamInfo.roomId);
+	const canCreateTeamGroup = usePermission('create-team-group', teamInfoData?.teamInfo.roomId);
+
+	const canChangeType = getCanChangeType(
+		room,
+		teamId ? canCreateTeamChannel : canCreateChannel,
+		teamId ? canCreateTeamGroup : canCreateGroup,
+		isAdmin,
+	);
 	const canSetReadOnly = usePermission('set-readonly', room._id);
 	const canSetReactWhenReadOnly = usePermission('set-react-when-readonly', room._id);
 	const canEditRoomRetentionPolicy = usePermission('edit-room-retention-policy', room._id);

apps/meteor/client/views/teams/contextualBar/channels/TeamsChannelItem.tsx

@@ -34,9 +34,11 @@ const TeamsChannelItem = ({ room, mainRoom, onClickView, reload }: TeamsChannelI
 
 	const [showButton, setShowButton] = useState();
 
-	const canRemoveTeamChannel = usePermission('remove-team-channel', rid);
-	const canEditTeamChannel = usePermission('edit-team-channel', rid);
-	const canDeleteTeamChannel = usePermission(type === 'c' ? 'delete-c' : 'delete-p', rid);
+	const canRemoveTeamChannel = usePermission('remove-team-channel', mainRoom._id);
+	const canEditTeamChannel = usePermission('edit-team-channel', mainRoom._id);
+	const canDeleteChannel = usePermission(`delete-${type}`, rid);
+	const canDeleteTeamChannel = usePermission(`delete-team-${type === 'c' ? 'channel' : 'group'}`, mainRoom._id);
+	const canDelete = canDeleteChannel && canDeleteTeamChannel;
 
 	const isReduceMotionEnabled = usePrefersReducedMotion();
 	const handleMenuEvent = {
@@ -67,7 +69,7 @@ const TeamsChannelItem = ({ room, mainRoom, onClickView, reload }: TeamsChannelI
 					)}
 				</Box>
 			</OptionContent>
-			{(canRemoveTeamChannel || canEditTeamChannel || canDeleteTeamChannel) && (
+			{(canRemoveTeamChannel || canEditTeamChannel || canDelete) && (
 				<OptionMenu onClick={onClick}>
 					{showButton ? <TeamsChannelItemMenu room={room} mainRoom={mainRoom} reload={reload} /> : <IconButton tiny icon='kebab' />}
 				</OptionMenu>

apps/meteor/client/views/teams/contextualBar/channels/TeamsChannelsWithData.tsx

@@ -1,6 +1,6 @@
 import type { IRoom } from '@rocket.chat/core-typings';
 import { useLocalStorage, useDebouncedValue, useEffectEvent } from '@rocket.chat/fuselage-hooks';
-import { useSetModal, usePermission } from '@rocket.chat/ui-contexts';
+import { useSetModal, usePermission, useAtLeastOnePermission } from '@rocket.chat/ui-contexts';
 import React, { useCallback, useMemo, useState } from 'react';
 
 import { useRecordList } from '../../../../hooks/lists/useRecordList';
@@ -17,7 +17,8 @@ const TeamsChannelsWithData = () => {
 	const room = useRoom();
 	const setModal = useSetModal();
 	const { closeTab } = useRoomToolbox();
-	const canAddExistingTeam = usePermission('add-team-channel', room._id);
+	const canAddExistingRoomToTeam = usePermission('move-room-to-team', room._id);
+	const canCreateRoomInTeam = useAtLeastOnePermission(['create-team-channel', 'create-team-group'], room._id);
 
 	const { teamId } = room;
 
@@ -44,7 +45,7 @@ const TeamsChannelsWithData = () => {
 	});
 
 	const handleCreateNew = useEffectEvent(() => {
-		setModal(<CreateChannelWithData teamId={teamId} onClose={() => setModal(null)} reload={reload} />);
+		setModal(<CreateChannelWithData teamId={teamId} mainRoom={room} onClose={() => setModal(null)} reload={reload} />);
 	});
 
 	const goToRoom = useEffectEvent((room: IRoom) => {
@@ -62,8 +63,8 @@ const TeamsChannelsWithData = () => {
 			channels={items}
 			total={total}
 			onClickClose={closeTab}
-			onClickAddExisting={canAddExistingTeam && handleAddExisting}
-			onClickCreateNew={canAddExistingTeam && handleCreateNew}
+			onClickAddExisting={canAddExistingRoomToTeam && handleAddExisting}
+			onClickCreateNew={canCreateRoomInTeam && handleCreateNew}
 			onClickView={goToRoom}
 			loadMoreItems={loadMoreItems}
 			reload={reload}