diff --git a/apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts b/apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts index 4b202c1c5735c..4260161d1435b 100644 --- a/apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts +++ b/apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts @@ -18,5 +18,5 @@ beforeAddUserToRoom.patch(async (prev, users, room, actor) => { throw new Error('error-room-is-abac-managed'); } - await Abac.checkUsernamesMatchAttributes(validUsers as string[], room.abacAttributes, room._id); + await Abac.checkUsernamesMatchAttributes(validUsers as string[], room.abacAttributes, room); }); diff --git a/ee/packages/abac/src/index.ts b/ee/packages/abac/src/index.ts index 8df0a03783dae..1c19944a225cf 100644 --- a/ee/packages/abac/src/index.ts +++ b/ee/packages/abac/src/index.ts @@ -463,7 +463,7 @@ export class AbacService extends ServiceClass implements IAbacService { await this.onRoomAttributesChanged(room, updated?.abacAttributes || []); } - async checkUsernamesMatchAttributes(usernames: string[], attributes: IAbacAttributeDefinition[], objectId: string): Promise { + async checkUsernamesMatchAttributes(usernames: string[], attributes: IAbacAttributeDefinition[], object: IRoom): Promise { if (!usernames.length || !attributes.length) { return; } @@ -486,7 +486,7 @@ export class AbacService extends ServiceClass implements IAbacService { usernames.forEach((username) => { // TODO: Add room name - void Audit.actionPerformed({ username }, { _id: objectId }, 'system', 'granted-object-access'); + void Audit.actionPerformed({ username }, { _id: object._id, name: object.name }, 'system', 'granted-object-access'); }); } diff --git a/ee/packages/abac/src/service.spec.ts b/ee/packages/abac/src/service.spec.ts index 8b7bc98bf414a..831a1f5399432 100644 --- a/ee/packages/abac/src/service.spec.ts +++ b/ee/packages/abac/src/service.spec.ts @@ -1037,12 +1037,14 @@ describe('AbacService (unit)', () => { const attributes = [{ key: 'dept', values: ['eng'] }]; it('returns early (no query) when usernames array is empty', async () => { - await expect(service.checkUsernamesMatchAttributes([], attributes as any, 'objectId')).resolves.toBeUndefined(); + await expect( + service.checkUsernamesMatchAttributes([], attributes as any, { _id: 'xxxxx', name: 'name' } as any), + ).resolves.toBeUndefined(); expect(mockUsersFind).not.toHaveBeenCalled(); }); it('returns early (no query) when attributes array is empty', async () => { - await expect(service.checkUsernamesMatchAttributes(['alice'], [], 'objectId')).resolves.toBeUndefined(); + await expect(service.checkUsernamesMatchAttributes(['alice'], [], { _id: 'xxxxx', name: 'name' } as any)).resolves.toBeUndefined(); expect(mockUsersFind).not.toHaveBeenCalled(); }); @@ -1054,7 +1056,9 @@ describe('AbacService (unit)', () => { }), })); - await expect(service.checkUsernamesMatchAttributes(usernames, attributes as any, 'objectId')).resolves.toBeUndefined(); + await expect( + service.checkUsernamesMatchAttributes(usernames, attributes as any, { _id: 'xxxxx', name: 'name' } as any), + ).resolves.toBeUndefined(); expect(mockUsersFind).toHaveBeenCalledWith( { @@ -1085,7 +1089,9 @@ describe('AbacService (unit)', () => { }), })); - await expect(service.checkUsernamesMatchAttributes(usernames, attributes as any, 'objectId')).rejects.toMatchObject({ + await expect( + service.checkUsernamesMatchAttributes(usernames, attributes as any, { _id: 'xxxxx', name: 'name' } as any), + ).rejects.toMatchObject({ code: 'error-only-compliant-users-can-be-added-to-abac-rooms', }); }); @@ -1099,7 +1105,9 @@ describe('AbacService (unit)', () => { }), })); - await expect(service.checkUsernamesMatchAttributes(usernames, attributes as any, 'objectId')).resolves.toBeUndefined(); + await expect( + service.checkUsernamesMatchAttributes(usernames, attributes as any, { _id: 'xxxxx', name: 'name' } as any), + ).resolves.toBeUndefined(); expect(mockCreateAuditServerEvent).toHaveBeenCalledTimes(usernames.length); const calledUsernames = mockCreateAuditServerEvent.mock.calls.map(([, payload]: any[]) => payload?.subject?.username).filter(Boolean); @@ -1116,7 +1124,9 @@ describe('AbacService (unit)', () => { }), })); - await expect(service.checkUsernamesMatchAttributes(usernames, attributes as any, 'objectId')).rejects.toMatchObject({ + await expect( + service.checkUsernamesMatchAttributes(usernames, attributes as any, { _id: 'xxxxx', name: 'name' } as any), + ).rejects.toMatchObject({ code: 'error-only-compliant-users-can-be-added-to-abac-rooms', }); diff --git a/packages/core-services/src/types/IAbacService.ts b/packages/core-services/src/types/IAbacService.ts index 415dd26bfbebc..e7f19e0ad1fd2 100644 --- a/packages/core-services/src/types/IAbacService.ts +++ b/packages/core-services/src/types/IAbacService.ts @@ -38,7 +38,7 @@ export interface IAbacService { removeRoomAbacAttribute(rid: string, key: string, actor: AbacActor | undefined): Promise; addRoomAbacAttributeByKey(rid: string, key: string, values: string[], actor: AbacActor | undefined): Promise; replaceRoomAbacAttributeByKey(rid: string, key: string, values: string[], actor: AbacActor | undefined): Promise; - checkUsernamesMatchAttributes(usernames: string[], attributes: IAbacAttributeDefinition[], objectId: string): Promise; + checkUsernamesMatchAttributes(usernames: string[], attributes: IAbacAttributeDefinition[], object: IRoom): Promise; canAccessObject( room: Pick, user: Pick,