Implicitly assign and revoke setting group permissions

packages/rocketchat-authorization/server/methods/addPermissionToRole.js

@@ -7,6 +7,17 @@ Meteor.methods({
 			});
 		}
 
+		const addParentPermissions = function(permissionId, role) {
+			const permission = RocketChat.models.Permissions.findOneById(permissionId);
+			if (permission.groupPermissionId) {
+				const groupPermission = RocketChat.models.Permissions.findOneById(permission.groupPermissionId);
+				if (groupPermission.roles.indexOf(role) === -1) {
+					RocketChat.models.Permissions.addRole(permission.groupPermissionId, role);
+				}
+			}
+		};
+
+		addParentPermissions(permission, role);
 		return RocketChat.models.Permissions.addRole(permission, role);
 	}
 });

packages/rocketchat-authorization/server/methods/removeRoleFromPermission.js

@@ -7,6 +7,22 @@ Meteor.methods({
 			});
 		}
 
-		return RocketChat.models.Permissions.removeRole(permission, role);
+		const removeStaleParentPermissions = function(permissionId, role) {
+			const permission = RocketChat.models.Permissions.findOneById(permissionId);
+			if (permission.groupPermissionId) {
+				const groupPermission = RocketChat.models.Permissions.findOneById(permission.groupPermissionId);
+				if (groupPermission.roles.indexOf(role) !== -1) {
+					// the role has the group permission assigned, so check whether it's still needed
+					if (RocketChat.models.Permissions.find({
+						groupPermissionId: permission.groupPermissionId,
+						roles: role
+					}).count() === 0) {
+						RocketChat.models.Permissions.removeRole(permission.groupPermissionId, role);
+					}
+				}
+			}
+		};
+		RocketChat.models.Permissions.removeRole(permission, role);
+		removeStaleParentPermissions(permission, role);
 	}
 });

packages/rocketchat-authorization/server/publications/permissions.js

@@ -11,7 +11,12 @@ Meteor.methods({
 				update: records.filter((record) => {
 					return record._updatedAt > updatedAt;
 				}),
-				remove: RocketChat.models.Permissions.trashFindDeletedAfter(updatedAt, {}, {fields: {_id: 1, _deletedAt: 1}}).fetch()
+				remove: RocketChat.models.Permissions.trashFindDeletedAfter(updatedAt, {}, {
+					fields: {
+						_id: 1,
+						_deletedAt: 1
+					}
+				}).fetch()
 			};
 		}
 
@@ -20,14 +25,22 @@ Meteor.methods({
 	'setting-permissions/get'(updatedAt) {
 		this.unblock();
 
-		const records = RocketChat.models.Permissions.find({level: permissionLevel.SETTING}).fetch();
+		const records = RocketChat.models.Permissions.find({
+			level: permissionLevel.SETTING,
+			groupPermissionId: {$exists: true} //filter group permissions themselves, as they are being assigned implicitly
+		}).fetch();
 
 		if (updatedAt instanceof Date) {
 			return {
 				update: records.filter((record) => {
 					return record._updatedAt > updatedAt;
 				}),
-				remove: RocketChat.models.Permissions.trashFindDeletedAfter(updatedAt, {}, {fields: {_id: 1, _deletedAt: 1}}).fetch()
+				remove: RocketChat.models.Permissions.trashFindDeletedAfter(updatedAt, {}, {
+					fields: {
+						_id: 1,
+						_deletedAt: 1
+					}
+				}).fetch()
 			};
 		}
 

packages/rocketchat-authorization/server/startup.js

@@ -104,20 +104,35 @@ Meteor.startup(function() {
 		return `change-setting-${ settingId }`;
 	};
 
-	const obsoleteSettingPermissions = {};
+	const previousSettingPermissions = {};
 	RocketChat.models.Permissions.find({level: permissionLevel.SETTING}).fetch().forEach(
 		function(permission) {
-			obsoleteSettingPermissions[permission._id] = permission;
+			previousSettingPermissions[permission._id] = permission;
 		});
 	RocketChat.models.Settings.findNotHidden().fetch().forEach((setting) => {
 		const permissionId = getSettingPermissionId(setting._id);
-		const permission = {_id: permissionId, level: permissionLevel.SETTING};
+		const permission = {
+			_id: permissionId,
+			level: permissionLevel.SETTING
+		};
+		// copy previously assigned roles if available
+		if (previousSettingPermissions[permissionId] && previousSettingPermissions[permissionId].roles) {
+			permission.roles = previousSettingPermissions[permissionId].roles;
+		} else {
+			permission.roles = [];
+		}
+		if (setting.group) {
+			permission.groupPermissionId = getSettingPermissionId(setting.group);
+		}
+		if (setting.section) {
+			permission.sectionPermissionId = getSettingPermissionId(setting.section);
+		}
 		RocketChat.models.Permissions.upsert(permission._id, {$set: permission});
-		delete obsoleteSettingPermissions[permissionId];
+		delete previousSettingPermissions[permissionId];
 	});
 
-	for (const obsoletePermission in obsoleteSettingPermissions) {
-		if (obsoleteSettingPermissions.hasOwnProperty(obsoletePermission)) {
+	for (const obsoletePermission in previousSettingPermissions) {
+		if (previousSettingPermissions.hasOwnProperty(obsoletePermission)) {
 			RocketChat.models.Permissions.remove({_id: obsoletePermission});
 			SystemLogger.info('Removed permission', obsoletePermission);
 		}