Skip to content

[FIX] Quoted messages from message links when user has no permission #20815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sampaiodiego merged 8 commits into from
Feb 20, 2021
Merged

[FIX] Quoted messages from message links when user has no permission #20815

sampaiodiego merged 8 commits into from
Feb 20, 2021

Conversation

@KevLehman
Copy link
Member

@KevLehman KevLehman commented Feb 18, 2021

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

@sampaiodiego sampaiodiego changed the title Fix leaking messages [FIX] Quoted messages from message links Feb 18, 2021
sampaiodiego
sampaiodiego requested changes Feb 19, 2021
View reviewed changes
app/oembed/server/jumpToMessage.js Outdated

// validates if user can see the message
// user has to belong to the room the message was first wrote in
const canAccessRoom = Meteor.call('canAccessRoom', jumpToMessage.rid, Meteor.userId());
Copy link
Member

@sampaiodiego sampaiodiego Feb 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please try to avoid using Meteor methods, specially on server code. always check if there is a service that does the same and if you can't used async functions (like here), look for alternative functions or use Promise.await.

to check if a user has permission to access a room you can use canAccessRoom

Copy link
Member Author

@KevLehman KevLehman Feb 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

sampaiodiego
sampaiodiego requested changes Feb 19, 2021
View reviewed changes
app/oembed/server/jumpToMessage.js Outdated

// validates if user can see the message
// user has to belong to the room the message was first wrote in
const canAccessRoomForUser = canAccessRoom({ _id: jumpToMessage.rid }, Meteor.user());
Copy link
Member

@sampaiodiego sampaiodiego Feb 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you'll need to send a complete Room object to canAccessRoom..

I'd also recommend to store Meteor.user() in a variable instead of calling it inside the loop.

Copy link
Member Author

@KevLehman KevLehman Feb 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding this one, I noticed that in other places they were retrieving Rooms.findById(...., { _id: 1 }). That will exclude other fields and returning just the ID as an object. This mimics the same behavior to avoid calling the database n times. (And it looks like its working haha)

Regarding the Meteor.user I didn't know it was an expensive operation, I'll move it to the top.

app/oembed/server/jumpToMessage.js Outdated
// validates if user can see the message
// user has to belong to the room the message was first wrote in
const canAccessRoomForUser = canAccessRoom({ _id: jumpToMessage.rid }, Meteor.user());
if (jumpToMessage && canAccessRoomForUser) {
Copy link
Member

@sampaiodiego sampaiodiego Feb 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not having a shortcut as others here? 😬

Suggested change
if (jumpToMessage && canAccessRoomForUser) {
if (!canAccessRoomForUser) {
return;
}

Copy link
Member Author

@KevLehman KevLehman Feb 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, yes 🤔 since we are checking for jumpToMessage some lines above, it makes sense to use the shortcircuit here. Nice catch!

@sampaiodiego sampaiodiego changed the title [FIX] Quoted messages from message links [FIX] Quoted messages from message links when user has no permission Feb 20, 2021
@sampaiodiego sampaiodiego merged commit c0f67ec into develop Feb 20, 2021
@sampaiodiego sampaiodiego deleted the fix-leaking-messages branch February 20, 2021 02:53
@sampaiodiego sampaiodiego mentioned this pull request Feb 28, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sampaiodiego sampaiodiego sampaiodiego approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KevLehman @sampaiodiego