Merge pull request #7212 from RocketChat/fix-rest-api-list-permissions

[Fix] Users and Channels list not respecting permissions

packages/rocketchat-api/server/v1/channels.js

@@ -332,13 +332,22 @@ RocketChat.API.v1.addRoute('channels.leave', { authRequired: true }, {
 
 RocketChat.API.v1.addRoute('channels.list', { authRequired: true }, {
 	get: {
-		//This is like this only to provide an example of how we routes can be defined :X
+		//This is defined as such only to provide an example of how the routes can be defined :X
 		action() {
 			const { offset, count } = this.getPaginationItems();
 			const { sort, fields, query } = this.parseJsonQuery();
 
 			const ourQuery = Object.assign({}, query, { t: 'c' });
 
+			//Special check for the permissions
+			if (RocketChat.authz.hasPermission(this.userId, 'view-joined-room')) {
+				ourQuery.usernames = {
+					$in: [ this.user.username ]
+				};
+			} else if (!RocketChat.authz.hasPermission(this.userId, 'view-c-room')) {
+				return RocketChat.API.v1.unauthorized();
+			}
+
 			const rooms = RocketChat.models.Rooms.find(ourQuery, {
 				sort: sort ? sort : { name: 1 },
 				skip: offset,

packages/rocketchat-api/server/v1/users.js

@@ -105,6 +105,10 @@ RocketChat.API.v1.addRoute('users.info', { authRequired: true }, {
 
 RocketChat.API.v1.addRoute('users.list', { authRequired: true }, {
 	get() {
+		if (!RocketChat.authz.hasPermission(this.userId, 'view-d-room')) {
+			return RocketChat.API.v1.unauthorized();
+		}
+
 		const { offset, count } = this.getPaginationItems();
 		const { sort, fields, query } = this.parseJsonQuery();