Skip to content

Commit

Permalink
Permission to access setting permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
mrsimpson committed Nov 20, 2017
1 parent c87a30d commit 48b1076
Show file tree
Hide file tree
Showing 8 changed files with 47 additions and 23 deletions.
44 changes: 24 additions & 20 deletions packages/rocketchat-authorization/client/views/permissions.html
Original file line number Diff line number Diff line change
Expand Up @@ -41,29 +41,33 @@
{{> permissionsTable permissions=permissions allRoles=roles}}
</div>
</div>
<div class="rocket-form">
<div class="section {{#unless settingPermissionExpanded}}section-collapsed{{/unless}}">
<div class="section-title">
<div class="section-title-text">
{{_ "setting-permissions"}}</div>
<div class="section-title-right">
<button class="button primary js-toggle-setting-permissions"><span>
{{#if settingPermissionExpanded }}
{{_ "Collapse"}}
{{else}}
{{_ "Expand"}}
{{/if}}
</span>
</button>
{{#if hasSettingPermission}}
<div class="rocket-form">
<div class="section {{#unless settingPermissionExpanded}}section-collapsed{{/unless}}">
<div class="section-title">
<div class="section-title-text">
{{_ "Setting_permissions"}}</div>
<div class="section-title-right">
<button class="button primary js-toggle-setting-permissions"><span>
{{#if settingPermissionExpanded }}
{{_ "Collapse"}}
{{else}}
{{_ "Expand"}}
{{/if}}
</span>
</button>
</div>
</div>
<div class="section-content border-component-color">
{{#if settingPermissionExpanded }}
{{> permissionsTable permissions=settingPermissions allRoles=roles}}
{{else}}
{{_ "Not_authorized"}}
{{/if}}
</div>
</div>
<div class="section-content border-component-color">
{{#if settingPermissionExpanded }}
{{> permissionsTable permissions=settingPermissions allRoles=roles}}
{{/if}}
</div>
</div>
</div>
{{/if}}
{{else}}
{{_ "Not_authorized"}}
{{/if}}
Expand Down
4 changes: 4 additions & 0 deletions packages/rocketchat-authorization/client/views/permissions.js
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ Template.permissions.helpers({
return RocketChat.authz.hasAllPermission('access-permissions');
},

hasSettingPermission() {
return RocketChat.authz.hasAllPermission('access-setting-permissions');
},

settingPermissionExpanded() {
return Template.instance().settingPermissionsExpanded.get();
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,17 @@
import {permissionLevel} from '../../lib/rocketchat';

Meteor.methods({
'authorization:addPermissionToRole'(permission, role) {
if (!Meteor.userId() || !RocketChat.authz.hasPermission(Meteor.userId(), 'access-permissions')) {
if (!Meteor.userId() || !RocketChat.authz.hasPermission(Meteor.userId(), 'access-permissions')
|| (permission.level === permissionLevel.SETTING && !RocketChat.authz.hasPermission(Meteor.userId(), 'access-setting-permissions'))
) {
throw new Meteor.Error('error-action-not-allowed', 'Adding permission is not allowed', {
method: 'authorization:addPermissionToRole',
action: 'Adding_permission'
});
}

// for setting-based-permissions, authorize the group access as well
const addParentPermissions = function(permissionId, role) {
const permission = RocketChat.models.Permissions.findOneById(permissionId);
if (permission.groupPermissionId) {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,18 @@
import {permissionLevel} from '../../lib/rocketchat';

Meteor.methods({
'authorization:removeRoleFromPermission'(permission, role) {
if (!Meteor.userId() || !RocketChat.authz.hasPermission(Meteor.userId(), 'access-permissions')) {
if (!Meteor.userId() || !RocketChat.authz.hasPermission(Meteor.userId(), 'access-permissions')
|| (permission.level === permissionLevel.SETTING && !RocketChat.authz.hasPermission(Meteor.userId(), 'access-setting-permissions'))
) {
throw new Meteor.Error('error-action-not-allowed', 'Accessing permissions is not allowed', {
method: 'authorization:removeRoleFromPermission',
action: 'Accessing_permissions'
});
}

// for setting based permissions, revoke the group permission once all setting permissions
// related to this group have been removed
const removeStaleParentPermissions = function(permissionId, role) {
const permission = RocketChat.models.Permissions.findOneById(permissionId);
if (permission.groupPermissionId) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ Meteor.methods({
const records = RocketChat.models.Permissions.find({
level: permissionLevel.SETTING,
groupPermissionId: {$exists: true} //filter group permissions themselves, as they are being assigned implicitly
}, {}, {sort:{group: 1, section: 1}}).fetch();
}, {}, {sort: {group: 1, section: 1}}).fetch();

if (updatedAt instanceof Date) {
return {
Expand Down
1 change: 1 addition & 0 deletions packages/rocketchat-authorization/server/startup.js
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ Meteor.startup(function() {
// 2. admin, moderator, and user roles should not be deleted as they are referened in the code.
const permissions = [
{_id: 'access-permissions', roles: ['admin']},
{_id: 'access-setting-permissions', roles: ['admin']},
{_id: 'add-oauth-service', roles: ['admin']},
{_id: 'add-user-to-joined-room', roles: ['admin', 'owner', 'moderator']},
{_id: 'add-user-to-any-c-room', roles: ['admin']},
Expand Down
2 changes: 2 additions & 0 deletions packages/rocketchat-i18n/i18n/de.i18n.json
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
"access-mailer_description": "Berechtigung, Massen-E-Mails an alle Benutzer zu versenden.",
"access-permissions": "Zugriff auf die Berechtigungs-Übersicht",
"access-permissions_description": "Anpassen der Berechtigungen für die unterschiedlichen Rollen.",
"access-setting-permissions": "Zugriff die Übersicht der Einstellungs-Berechtigungen",
"Access_not_authorized": "Der Zugriff ist nicht gestattet.",
"Access_Token_URL": "URL des Access-Token",
"Accessing_permissions": "Zugriff auf Berechtigungen",
Expand Down Expand Up @@ -1573,6 +1574,7 @@
"Set_as_leader": "Zum Diskussionsleiter ernennen",
"Set_as_moderator": "Zum Moderator ernennen",
"Set_as_owner": "Zum Besitzer machen",
"Setting_permissions": "Berechtigung, Einstellungen zu ändern",
"Settings": "Einstellungen",
"Settings_updated": "Die Einstellungen wurden aktualisiert",
"Share_Location_Title": "Standort teilen?",
Expand Down
2 changes: 2 additions & 0 deletions packages/rocketchat-i18n/i18n/en.i18n.json
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
"access-mailer_description": "Permission to send mass email to all users.",
"access-permissions": "Access Permissions Screen",
"access-permissions_description": "Modify permissions for various roles.",
"access-setting-permissions": "Modify setting-based permissions",
"Access_not_authorized": "Access not authorized",
"Access_Token_URL": "Access Token URL",
"Accessing_permissions": "Accessing permissions",
Expand Down Expand Up @@ -1606,6 +1607,7 @@
"Set_as_leader": "Set as leader",
"Set_as_moderator": "Set as moderator",
"Set_as_owner": "Set as owner",
"Setting_permissions": "Permission to change settings",
"Settings": "Settings",
"Settings_updated": "Settings updated",
"Share_Location_Title": "Share Location?",
Expand Down

0 comments on commit 48b1076

Please sign in to comment.