Skip to content

[Regression] Omnichannel visitors not able to upload files #19429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
murtaza98 wants to merge 4 commits into from
Closed

[Regression] Omnichannel visitors not able to upload files #19429

murtaza98 wants to merge 4 commits into from

Conversation

@murtaza98
Copy link
Contributor

@murtaza98 murtaza98 commented Nov 2, 2020
edited
Loading

Proposed changes

Issue(s)

In the latest version of Rocket.Chat I found a bug due to which any omnichannel visitors were not able to upload files. When I tried uploading files from Livechat widget, I was getting this error.

errorClass [Error]: Forbidden [forbidden]
     at Object.<anonymous> (packages/jalik:ufs/ufs-store.js:339:12)
     at packages/matb33:collection-hooks/insert.js:16:28
     at Array.forEach (<anonymous>)
     at Object.<anonymous> (packages/matb33:collection-hooks/insert.js:15:22)
     at Object.collection.<computed> [as insert] (packages/matb33:collection-hooks/collection-hooks.js:93:21)
     at ns.Collection.insert (packages/mongo/collection.js:523:39)
     at ns.Collection.Mongo.Collection.<computed> [as insert] (packages/dispatch_run-as-user.js:325:19)
     at BaseDb.insert (app/models/server/models/_BaseDb.js:282:33)
     at ns.Collection.model.insert (app/models/server/models/_BaseDb.js:133:16)
     at GridFSStore.Store.self.create (packages/jalik:ufs/ufs-store.js:202:33)
     at FileUploadClass._doInsert (app/file-upload/server/lib/FileUpload.js:556:29)
     at FileUploadClass.insert (app/file-upload/server/lib/FileUpload.js:594:15)
     at packages/meteor.js:306:21
     at app/apps/server/bridges/uploads.js:53:26
     at runWithEnvironment (packages/meteor.js:1286:24)
     at packages/meteor.js:1299:14
     at new Promise (<anonymous>)
     at app/apps/server/bridges/uploads.js:51:10
     at /home/murtaza/.meteor/packages/promise/.0.11.2.uc9obv.dy3mq++os+web.browser+web.browser.legacy+web.cordova/npm/node_modules/meteor-promise/fiber_pool.js:43:40 {
	   isClientSafe: true,
	   error: 'forbidden',
	   reason: 'Forbidden',
	   details: undefined,
	   errorType: 'Meteor.Error'
	 }

and when I tried to upload via Apps-Engine latest upload interface, I was facing this error

errorClass [Error]: File does not match filter [invalid-file]
     at Filter.check (packages/jalik:ufs/ufs-filter.js:108:12)
     at FileUploadClass.insert (app/file-upload/server/lib/FileUpload.js:591:11)
     at packages/meteor.js:306:21
     at app/apps/server/bridges/uploads.js:53:26
     at runWithEnvironment (packages/meteor.js:1286:24)
     at packages/meteor.js:1299:14
     at new Promise (<anonymous>)
     at app/apps/server/bridges/uploads.js:51:10
     at /home/murtaza/.meteor/packages/promise/.0.11.2.uc9obv.dy3mq++os+web.browser+web.browser.legacy+web.cordova/npm/node_modules/meteor-promise/fiber_pool.js:43:40 {
	   isClientSafe: true,
	   error: 'invalid-file',
	   reason: 'File does not match filter',
	   details: undefined,
	   errorType: 'Meteor.Error'
	 }

How to test or reproduce

Via Livechat widget

  1. Open Livechat widget (http://localhost:3000/livechat) and send a message to start a session with livechat agent
  2. Upload any file. (This should throw an error saying FileUpload error. It u check the console it should show that the api was unsuccessful)

Via Apps-Engine
Set this visitorToken property within IUploadDescriptor

My Server Configuration

Rocket.Chat server Version | 3.8.0-develop
Apps Engine Version |1.19.0-alpha.4006
OS Platform | linux

Screenshots

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • Improvement (non-breaking change which improves a current function)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Hotfix (a major bugfix that has to be merged asap)
  • Documentation Update (if none of the other choices apply)

Checklist

  • I have read the CONTRIBUTING doc
  • I have signed the CLA
  • Lint and unit tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works (if applicable)
  • I have added necessary documentation (if applicable)
  • Any dependent changes have been merged and published in downstream modules

Changelog

Further comments

@murtaza98 murtaza98 marked this pull request as draft November 2, 2020 05:27
@murtaza98 murtaza98 marked this pull request as ready for review November 2, 2020 06:07
@shiqimei shiqimei requested a review from d-gubert November 3, 2020 03:57
shiqimei
shiqimei approved these changes Nov 3, 2020
View reviewed changes
Copy link
Contributor

@shiqimei shiqimei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

shiqimei
shiqimei reviewed Nov 3, 2020
View reviewed changes
app/file-upload/server/lib/FileUpload.js
const directMessageAllowed = settings.get('FileUpload_Enabled_Direct');
const fileUploadAllowed = settings.get('FileUpload_Enabled');
if (user?.type !== 'app' && canAccessRoom(room, user, file) !== true) {
if (user && user.type !== 'app' && canAccessRoom(room, user, file) !== true) {
Copy link
Contributor

@shiqimei shiqimei Nov 3, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@d-gubert I believe this bug was introduced in this commit 259af21#diff-2b708d47a45f905401f41f0b318f2462e95eebf42d8e049bc5474a6f65d2e779R69

@murtaza98 murtaza98 changed the title [FIX] Omnichannel visitors not able to upload files [Regression] Omnichannel visitors not able to upload files Nov 3, 2020
@murtaza98 murtaza98 added this to the 3.8.0 milestone Nov 3, 2020
sampaiodiego
sampaiodiego requested changes Nov 8, 2020
View reviewed changes
app/file-upload/lib/FileUploadBase.js
}

// allows inserts from omnichannel visitors
if (doc.visitorToken) {
Copy link
Member

@sampaiodiego sampaiodiego Nov 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should not allow any document just because if has a visitorToken, it could lead to undesired results..

I think the permission validation was fixed by #19468

can you please test again removing this code and getting the latest changes from develop?

Copy link
Contributor Author

@murtaza98 murtaza98 Nov 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @sampaiodiego It seems that the latest changes on develop branch have fixed all the above error which I was facing.

Its also worth mentioning that this change is also not required, since the of this validator which canAccessRoom calls returns true if the visitor belongs to the same room.

@murtaza98
Copy link
Contributor Author

murtaza98 commented Nov 8, 2020

The errors I was facing in this PR, are fixed by #19468. Hence I'm closing this PR. Thanks everyone for all the help 😃

@murtaza98 murtaza98 closed this Nov 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sampaiodiego sampaiodiego sampaiodiego requested changes

@renatobecker renatobecker Awaiting requested review from renatobecker

@d-gubert d-gubert Awaiting requested review from d-gubert

+1 more reviewer

@shiqimei shiqimei shiqimei approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

3.8.0

Development

Successfully merging this pull request may close these issues.

3 participants

@murtaza98 @sampaiodiego @shiqimei