UI-adaptation: Allow users with permission 'manage-selected-permissio…

…ns' to see and change the affected settings. However, this is not reactive: Once the permissions for a particular setting are changed, the user needs to log off and on again before it becomes effective in the UI. This is most probably a consequence of the CachedCollection. This collection needed to be changed on permission-change. In the backend however, the permissions become effective immediately.
redlink-gmbh · Nov 21, 2017 · 00e4bb5 · 00e4bb5
1 parent daccad8
commit 00e4bb5
Show file tree

Hide file tree

Showing 11 changed files with 40 additions and 60 deletions.
diff --git a/packages/rocketchat-authorization/client/views/permissions.html b/packages/rocketchat-authorization/client/views/permissions.html
@@ -38,7 +38,7 @@
 				<a href="{{pathFor "admin-permissions-new"}}" class="button primary new-role">{{_ "New_role"}}</a>
 				<div class="rocket-form">
 					<div class="section">
-						{{> permissionsTable permissions=permissions allRoles=roles}}
+						{{> permissionsTable permissions=permissions allRoles=roles collection='Chat'}}
 					</div>
 				</div>
 				{{#if hasSettingPermission}}
@@ -60,7 +60,7 @@
 							</div>
 							<div class="section-content border-component-color">
 								{{#if settingPermissionExpanded }}
-									{{> permissionsTable permissions=settingPermissions allRoles=roles}}
+									{{> permissionsTable permissions=settingPermissions allRoles=roles collection='Setting'}}
 								{{else}}
 									{{_ "Not_authorized"}}
 								{{/if}}

diff --git a/packages/rocketchat-authorization/client/views/permissions.js b/packages/rocketchat-authorization/client/views/permissions.js
@@ -94,7 +94,6 @@ Template.permissionsTable.events({
 	}
 });
 
-
 Template.permissionsTable.onCreated(function() {
 	this.permissionByRole = {};
 	this.actions = {
@@ -114,7 +113,13 @@ Template.permissionsTable.onCreated(function() {
 				delete this.permissionByRole[id];
 			}
 		};
-		ChatPermissions.find().observeChanges(observer);
-		SettingPermissions.find().observeChanges(observer);
+		if (this.data.collection === 'Chat') {
+			ChatPermissions.find().observeChanges(observer);
+		}
+
+		if (this.data.collection === 'Setting') {
+			SettingPermissions.find().observeChanges(observer);
+		}
 	});
 });
+
diff --git a/packages/rocketchat-authorization/server/publications/permissions.js b/packages/rocketchat-authorization/server/publications/permissions.js
@@ -51,5 +51,8 @@ Meteor.methods({
 
 RocketChat.models.Permissions.on('changed', (type, permission) => {
 	RocketChat.Notifications.notifyLoggedInThisInstance('permissions-changed', type, permission);
+	if (permission.level === permissionLevel.SETTING) {
+		RocketChat.Notifications.notifyLoggedInThisInstance('selected-settings-changed', type, permission);
+	}
 });
 
diff --git a/packages/rocketchat-authorization/server/startup.js b/packages/rocketchat-authorization/server/startup.js
@@ -64,7 +64,7 @@ Meteor.startup(function() {
 		{_id: 'view-other-user-channels', roles: ['admin']},
 		{_id: 'view-p-room', roles: ['admin', 'user', 'anonymous']},
 		{_id: 'view-privileged-setting', roles: ['admin']},
-		{_id: 'view-selected-settings', roles: ['admin']},
+		{_id: 'manage-selected-settings', roles: ['admin']},
 		{_id: 'view-room-administration', roles: ['admin']},
 		{_id: 'view-statistics', roles: ['admin']},
 		{_id: 'view-user-administration', roles: ['admin']},

diff --git a/packages/rocketchat-lib/server/methods/saveSetting.js b/packages/rocketchat-lib/server/methods/saveSetting.js
@@ -8,9 +8,13 @@ Meteor.methods({
 			});
 		}
 
-		if (!RocketChat.authz.hasPermission(Meteor.userId(), 'edit-privileged-setting')) {
+		if (!RocketChat.authz.hasPermission(Meteor.userId(), 'edit-privileged-setting')
+			&& !(
+				RocketChat.authz.hasAllPermission(Meteor.userId(), ['manage-selected-settings', `change-setting-${ _id }`])
+			)) {
 			throw new Meteor.Error('error-action-not-allowed', 'Editing settings is not allowed', {
-				method: 'saveSetting'
+				method: 'saveSetting',
+				settingId: _id
 			});
 		}
 

diff --git a/packages/rocketchat-lib/server/publications/settings.js b/packages/rocketchat-lib/server/publications/settings.js
@@ -31,42 +31,16 @@ Meteor.methods({
 			return [];
 		}
 		this.unblock();
-		if (!RocketChat.authz.hasPermission(Meteor.userId(), 'view-privileged-setting')) {
-			return [];
-		}
-		const records = RocketChat.models.Settings.find().fetch().filter(function(record) {
-			return record.hidden !== true;
-		});
-		if (updatedAt instanceof Date) {
-			return {
-				update: records.filter(function(record) {
-					return record._updatedAt > updatedAt;
-				}),
-				remove: RocketChat.models.Settings.trashFindDeletedAfter(updatedAt, {
-					hidden: {
-						$ne: true
-					}
-				}, {
-					fields: {
-						_id: 1,
-						_deletedAt: 1
-					}
-				}).fetch()
-			};
-		}
-		return records;
-	},
-	'selected-settings/get'(updatedAt) {
-		if (!Meteor.userId()) {
-			return [];
-		}
-		this.unblock();
-		if (!RocketChat.authz.hasPermission(Meteor.userId(), 'view-selected-settings')) {
-			return [];
-		}
 		const records = RocketChat.models.Settings.find().fetch().filter(function(record) {
-			return record.hidden !== true && RocketChat.authz.hasPermission(Meteor.userId(), `change-setting-${ record._id }`);
+			if (RocketChat.authz.hasPermission(Meteor.userId(), 'view-privileged-setting')) {
+				return record.hidden !== true;
+			} else if (RocketChat.authz.hasPermission(Meteor.userId(), 'manage-selected-settings')) {
+				return record.hidden !== true && RocketChat.authz.hasPermission(Meteor.userId(), `change-setting-${ record._id }`);
+			} else {
+				return false;
+			}
 		});
+
 		if (updatedAt instanceof Date) {
 			return {
 				update: records.filter(function(record) {

diff --git a/packages/rocketchat-ui-admin/client/admin.html b/packages/rocketchat-ui-admin/client/admin.html
@@ -15,7 +15,7 @@ <h2>
 			</header>
 
 			<div class="content background-transparent-dark">
-				{{#unless hasPermission 'view-privileged-setting'}}
+				{{#unless hasSettingPermission}}
 					<p>{{_ "You_are_not_authorized_to_view_this_page"}}</p>
 				{{else}}
 					{{#if description}}

diff --git a/packages/rocketchat-ui-admin/client/admin.js b/packages/rocketchat-ui-admin/client/admin.js
@@ -52,18 +52,8 @@ Template.admin.onCreated(function() {
 		RocketChat.settings.collectionPrivate = RocketChat.settings.cachedCollectionPrivate.collection;
 		RocketChat.settings.cachedCollectionPrivate.init();
 	}
-
-	// settings which the user is explicitly allowed to change
-	if (RocketChat.settings.cachedCollectionSelected == null) {
-		RocketChat.settings.cachedCollectionSelected = new RocketChat.CachedCollection({
-			name: 'selected-settings',
-			eventType: 'onLogged'
-		});
-		RocketChat.settings.collectionSelected = RocketChat.settings.cachedCollectionSelected.collection;
-		RocketChat.settings.cachedCollectionSelected.init();
-	}
 	this.selectedRooms = new ReactiveVar({});
-	const observation = {
+	RocketChat.settings.collectionPrivate.find().observe({
 		added: (data) => {
 			const selectedRooms = this.selectedRooms.get();
 			if (data.type === 'roomPick') {
@@ -88,17 +78,17 @@ Template.admin.onCreated(function() {
 			}
 			TempSettings.remove(data._id);
 		}
-	};
-
-	RocketChat.settings.collectionPrivate.find().observe(observation);
-	RocketChat.settings.collectionSelected.find().observe(observation);
+	});
 });
 
 Template.admin.onDestroyed(function() {
 	TempSettings.remove({});
 });
 
 Template.admin.helpers({
+	hasSettingPermission() {
+		return RocketChat.authz.hasAtLeastOnePermission(['view-privileged-setting', 'manage-selected-settings']);
+	},
 	languages() {
 		const languages = TAPi18n.getLanguages();
 

diff --git a/packages/rocketchat-ui-admin/client/adminFlex.html b/packages/rocketchat-ui-admin/client/adminFlex.html
@@ -31,7 +31,7 @@ <h1 class="sidebar-flex__title">{{_ "Administration"}}</h1>
 				{{/each}}
 			</ul>
 
-			{{#if hasPermission 'view-privileged-setting'}}
+			{{#if hasSettingPermission}}
 				<h3 class="rooms-list__type">{{_ "Settings"}}</h3>
 				<div class="rc-input sidebar-flex__search">
 					<label class="rc-input__label">

diff --git a/packages/rocketchat-ui-admin/client/adminFlex.js b/packages/rocketchat-ui-admin/client/adminFlex.js
@@ -22,6 +22,10 @@ const label = function() {
 // });
 
 Template.adminFlex.helpers({
+	hasSettingPermission() {
+		return RocketChat.authz.hasAtLeastOnePermission(['view-privileged-setting', 'manage-selected-settings']);
+	},
+
 	groups() {
 		const filter = Template.instance().settingsFilter.get();
 		const query = {

diff --git a/packages/rocketchat-ui-sidenav/client/accountBox.js b/packages/rocketchat-ui-sidenav/client/accountBox.js
@@ -38,7 +38,7 @@ Template.accountBox.helpers({
 Template.accountBox.events({
 	'click .sidebar__account.active'() {
 		let adminOption;
-		if (RocketChat.authz.hasAtLeastOnePermission(['view-statistics', 'view-room-administration', 'view-user-administration', 'view-privileged-setting' ]) || (RocketChat.AdminBox.getOptions().length > 0)) {
+		if (RocketChat.authz.hasAtLeastOnePermission(['view-statistics', 'view-room-administration', 'view-user-administration', 'view-privileged-setting', 'manage-selected-settings' ]) || (RocketChat.AdminBox.getOptions().length > 0)) {
 			adminOption = {
 				icon: 'customize',
 				name: t('Administration'),