RocketChat · sampaiodiego · Oct 25, 2020 · Sep 18, 2020 · Sep 18, 2020 · Sep 18, 2020
diff --git a/app/channel-settings/server/methods/saveRoomSettings.js b/app/channel-settings/server/methods/saveRoomSettings.js
@@ -104,6 +104,14 @@ const validators = {
 			});
 		}
 	},
+	roomAvatar({ userId, rid }) {
+		if (!hasPermission(userId, 'edit-room-avatar', rid)) {
+			throw new Meteor.Error('error-action-not-allowed', 'Editing a room avatar is not allowed', {
+				method: 'saveRoomSettings',
+				action: 'Editing_room',
+			});
+		}
+	},
 };
 
 const settingSavers = {

diff --git a/app/file-upload/server/lib/FileUpload.js b/app/file-upload/server/lib/FileUpload.js
@@ -181,7 +181,12 @@ export const FileUpload = {
 		if (settings.get('Accounts_AvatarResize') !== true) {
 			return;
 		}
-		if (Meteor.userId() !== file.userId && !hasPermission(Meteor.userId(), 'edit-other-user-info')) {
+
+		if (file.rid) {
+			if (!hasPermission(Meteor.userId(), 'edit-room-avatar', file.rid)) {
+				throw new Meteor.Error('error-not-allowed', 'Change avatar is not allowed');
+			}
+		} else if (Meteor.userId() !== file.userId && !hasPermission(Meteor.userId(), 'edit-other-user-info')) {
 			throw new Meteor.Error('error-not-allowed', 'Change avatar is not allowed');
 		}
 

diff --git a/app/lib/server/functions/setRoomAvatar.js b/app/lib/server/functions/setRoomAvatar.js
@@ -12,6 +12,9 @@ export const setRoomAvatar = function(rid, dataURI, user) {
 
 	if (!dataURI) {
 		fileStore.deleteByRoomId(rid);
+		Messages.createRoomSettingsChangedWithTypeRoomIdMessageAndUser('room_changed_avatar', rid, '', user);
+		Notifications.notifyLogged('updateAvatar', { rid });
+
 		return Rooms.unsetAvatarData(rid);
 	}
 
@@ -27,6 +30,10 @@ export const setRoomAvatar = function(rid, dataURI, user) {
 	};
 
 	fileStore.insert(file, buffer, (err, result) => {
+		if (err) {
+			throw err;
+		}
+
 		Meteor.setTimeout(function() {
 			if (current) {
 				fileStore.deleteById(current._id);

diff --git a/packages/rocketchat-i18n/i18n/en.i18n.json b/packages/rocketchat-i18n/i18n/en.i18n.json
@@ -1350,6 +1350,8 @@
   "edit-privileged-setting": "Edit privileged Setting",
   "edit-privileged-setting_description": "Permission to edit settings",
   "edit-room": "Edit Room",
+  "edit-room-avatar": "Edit Room Avatar",
+  "edit-room-avatar_description": "Permission to edit a room's avatar.",
   "edit-room_description": "Permission to edit a room's name, topic, type (private or public status) and status (active or archived)",
   "edit-room-retention-policy": "Edit Room's Retention Policy",
   "edit-room-retention-policy_description": "Permission to edit a room’s retention policy, to automatically delete messages in it",