Skip to content

Commit 6a49770

Browse files
authored
regression: validate the subscription status on unban (RocketChat#40237)
1 parent 2632182 commit 6a49770

1 file changed

Lines changed: 10 additions & 5 deletions

File tree

apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
import { Message } from '@rocket.chat/core-services';
2-
import { isBannedSubscription, type IUser } from '@rocket.chat/core-typings';
2+
import { isBannedSubscription, isInviteSubscription, type IUser } from '@rocket.chat/core-typings';
33
import { Rooms, Subscriptions, Users } from '@rocket.chat/models';
44

55
import { afterUnbanFromRoomCallback } from '../../../../server/lib/callbacks/afterUnbanFromRoomCallback';
@@ -20,17 +20,22 @@ export const executeUnbanUserFromRoom = async function (rid: string, user: IUser
2020
throw new Error('error-invalid-subscription');
2121
}
2222

23-
// if the subscription is not banned anymore it means we received an invite and then updated the status.
24-
// after the invite was accepted we receive a leave event (meaning the user was unbanned), so at this point
25-
// we just need send the message to say the user was unbanned.
26-
if (!isBannedSubscription(subscription)) {
23+
// if the subscription is an invite it means we were unbanned and then invited again, then
24+
// the invite was accepted and we receive a leave event (meaning the user was unbanned), so
25+
// at this point we just need send the message to say the user was unbanned.
26+
if (isInviteSubscription(subscription)) {
2727
await Message.saveSystemMessage('user-unbanned', rid, user.username, user, {
2828
u: { _id: byUser._id, username: byUser.username },
2929
});
3030

3131
return;
3232
}
3333

34+
// if the subscription exists and is not an invite and not banned
35+
if (!isBannedSubscription(subscription)) {
36+
throw new Error('error-user-not-banned');
37+
}
38+
3439
// Remove the subscription entirely — the user is no longer banned but also not a member.
3540
// Room count and __rooms were already adjusted during ban, so we only delete the document.
3641
await Subscriptions.removeById(subscription._id);

0 commit comments

Comments
 (0)