[IMPROVE] Add rooms property in user object, if the user has the perm…

…ission, with rooms roles (#12105) * Add rooms property in user object, if he has the permission, with your rooms roles * Add option to return user's rooms only when requested
RocketChat · Nov 20, 2018 · 8744bd3 · 8744bd3
1 parent fcd881b
commit 8744bd3
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 2 deletions.
diff --git a/packages/rocketchat-api/server/v1/users.js b/packages/rocketchat-api/server/v1/users.js
@@ -117,7 +117,8 @@ RocketChat.API.v1.addRoute('users.getPresence', { authRequired: true }, {
 RocketChat.API.v1.addRoute('users.info', { authRequired: true }, {
 	get() {
 		const { username } = this.getUserFromParams();
-
+		const { fields } = this.parseJsonQuery();
+		let user = {};
 		let result;
 		Meteor.runAsUser(this.userId, () => {
 			result = Meteor.call('getFullUserData', { username, limit: 1 });
@@ -127,8 +128,24 @@ RocketChat.API.v1.addRoute('users.info', { authRequired: true }, {
 			return RocketChat.API.v1.failure(`Failed to get the user data for the userId of "${ username }".`);
 		}
 
+		user = result[0];
+		if (fields.userRooms === 1 && RocketChat.authz.hasPermission(this.userId, 'view-other-user-channels')) {
+			user.rooms = RocketChat.models.Subscriptions.findByUserId(this.userId, {
+				fields: {
+					rid: 1,
+					name: 1,
+					t: 1,
+					roles: 1,
+				},
+				sort: {
+					t: 1,
+					name: 1,
+				},
+			}).fetch();
+		}
+
 		return RocketChat.API.v1.success({
-			user: result[0],
+			user,
 		});
 	},
 });

diff --git a/tests/end-to-end/api/01-users.js b/tests/end-to-end/api/01-users.js
@@ -238,6 +238,35 @@ describe('[Users]', function() {
 				})
 				.end(done);
 		});
+		it('should return "rooms" property when user request it and the user has the necessary permission (admin, "view-other-user-channels")', (done) => {
+			request.get(api('users.info'))
+				.set(credentials)
+				.query({
+					userId: targetUser._id,
+					fields: JSON.stringify({ userRooms: 1 }),
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.nested.property('user.rooms').and.to.be.an('array');
+				})
+				.end(done);
+		});
+		it('should NOT return "rooms" property when user NOT request it but the user has the necessary permission (admin, "view-other-user-channels")', (done) => {
+			request.get(api('users.info'))
+				.set(credentials)
+				.query({
+					userId: targetUser._id,
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.not.have.nested.property('user.rooms');
+				})
+				.end(done);
+		});
 	});
 
 	describe('[/users.getPresence]', () => {