From aa8e6c842830d5abe12128fbe479d7fa6c04feec Mon Sep 17 00:00:00 2001
From: Diego Sampaio <chinello@gmail.com>
Date: Wed, 18 Oct 2017 12:43:44 -0200
Subject: [PATCH] Do not send joinCode field to clients

---
 .../client/stylesheets/channel-settings.css   |  6 +-
 .../client/views/channelSettings.html         |  5 ++
 .../client/views/channelSettings.js           | 69 +++++++++++++++++--
 packages/rocketchat-lib/package.js            |  1 +
 .../server/methods/getRoomJoinCode.js         | 17 +++++
 packages/rocketchat-theme/server/colors.less  |  2 +-
 server/publications/room.js                   |  9 +--
 server/startup/roomPublishes.js               |  4 --
 8 files changed, 93 insertions(+), 20 deletions(-)
 create mode 100644 packages/rocketchat-lib/server/methods/getRoomJoinCode.js

diff --git a/packages/rocketchat-channel-settings/client/stylesheets/channel-settings.css b/packages/rocketchat-channel-settings/client/stylesheets/channel-settings.css
index 973fadc683ab..3c353185e19e 100644
--- a/packages/rocketchat-channel-settings/client/stylesheets/channel-settings.css
+++ b/packages/rocketchat-channel-settings/client/stylesheets/channel-settings.css
@@ -68,7 +68,7 @@ html.rtl .flex-tab {
 			}
 		}
 
-		& .button.edit {
+		& .button {
 			display: inline-block;
 			visibility: hidden;
 
@@ -111,12 +111,14 @@ html.rtl .flex-tab {
 
 			font-size: 0;
 
+			display: flex;
+
 			& .loading-animation {
 				top: 30px;
 			}
 
 			&:hover {
-				& .button.edit {
+				& .button {
 					visibility: visible;
 				}
 			}
diff --git a/packages/rocketchat-channel-settings/client/views/channelSettings.html b/packages/rocketchat-channel-settings/client/views/channelSettings.html
index e8b3271be881..a2fcdf45cb9e 100644
--- a/packages/rocketchat-channel-settings/client/views/channelSettings.html
+++ b/packages/rocketchat-channel-settings/client/views/channelSettings.html
@@ -66,6 +66,11 @@ <h2>{{_ "Room_Info"}}</h2>
 														</button>
 													</div>
 												{{else}}
+													{{#if $value.showHideValue room}}
+														<button type="button" class="button show">
+															<i class="{{#if showingValue $key}}icon-eye-off{{else}}icon-eye{{/if}}"></i>
+														</button>
+													{{/if}}
 													<button type="button" class="button edit">
 														<i class="icon-pencil" data-edit="{{$key}}"></i>
 													</button>
diff --git a/packages/rocketchat-channel-settings/client/views/channelSettings.js b/packages/rocketchat-channel-settings/client/views/channelSettings.js
index d2ac089a722c..408cc7e41e9d 100644
--- a/packages/rocketchat-channel-settings/client/views/channelSettings.js
+++ b/packages/rocketchat-channel-settings/client/views/channelSettings.js
@@ -73,6 +73,11 @@ Template.channelSettings.helpers({
 			}
 		});
 		return t(room && room.ro ? 'True' : 'False');
+	},
+	showingValue(field) {
+		const { showingValue } = Template.instance().settings[field];
+
+		return showingValue && showingValue.get();
 	}
 });
 
@@ -111,10 +116,12 @@ Template.channelSettings.events({
 			t.saveSetting();
 		}
 	},
-	'click [data-edit], click .button.edit'(e, t) {
+	async 'click [data-edit], click .button.edit'(e, t) {
 		e.preventDefault();
 		let input = $(e.currentTarget);
 
+		await t.showValue(this.$key, true);
+
 		if (input.hasClass('button')) {
 			input = $(e.currentTarget).siblings('.current-setting');
 		}
@@ -126,6 +133,11 @@ Template.channelSettings.events({
 			}), 100);
 		}
 	},
+	'click .button.show'(e, t) {
+		e.preventDefault();
+
+		t.showValue(this.$key);
+	},
 	'change [type="radio"]'(e, t) {
 		return t.editing.set($(e.currentTarget).attr('name'));
 	},
@@ -135,7 +147,8 @@ Template.channelSettings.events({
 	},
 	'click .cancel'(e, t) {
 		e.preventDefault();
-		return t.editing.set();
+
+		t.cancelEditing(this.$key);
 	},
 	'click .save'(e, t) {
 		e.preventDefault();
@@ -404,14 +417,47 @@ Template.channelSettings.onCreated(function() {
 		joinCode: {
 			type: 'text',
 			label: 'Password',
+			showingValue: new ReactiveVar(false),
+			realValue: null,
 			canView(room) {
 				return room.t === 'c' && RocketChat.authz.hasAllPermission('edit-room', room._id);
 			},
 			canEdit(room) {
 				return RocketChat.authz.hasAllPermission('edit-room', room._id);
 			},
+			getValue(room) {
+				if (this.showingValue.get()) {
+					return this.realValue;
+				}
+				return room.joinCodeRequired ? '*****' : '';
+			},
+			showHideValue(room) {
+				return room.joinCodeRequired;
+			},
+			cancelEditing() {
+				this.showingValue.set(false);
+				this.realValue = null;
+			},
+			async showValue(room, forceShow = false) {
+				if (this.showingValue.get()) {
+					if (forceShow) {
+						return;
+					}
+					this.showingValue.set(false);
+					this.realValue = null;
+
+					return null;
+				}
+				return Meteor.call('getRoomJoinCode', room._id, (error, result) => {
+					if (error) {
+						return handleError(error);
+					}
+					this.realValue = result;
+					this.showingValue.set(true);
+				});
+			},
 			save(value, room) {
-				return Meteor.call('saveRoomSettings', room._id, 'joinCode', value, function(err) {
+				Meteor.call('saveRoomSettings', room._id, 'joinCode', value, function(err) {
 					if (err) {
 						return handleError(err);
 					}
@@ -421,7 +467,7 @@ Template.channelSettings.onCreated(function() {
 			}
 		}
 	};
-	return this.saveSetting = () => {
+	this.saveSetting = () => {
 		const room = ChatRoom.findOne(this.data && this.data.rid);
 		const field = this.editing.get();
 		let value;
@@ -435,6 +481,19 @@ Template.channelSettings.onCreated(function() {
 		if (value !== room[field]) {
 			this.settings[field].save(value, room);
 		}
-		return this.editing.set();
+
+		this.cancelEditing(field);
+	};
+	this.showValue = async(field, forceShow) => {
+		if (!this.settings[field].showValue) {
+			return;
+		}
+		const room = ChatRoom.findOne(this.data && this.data.rid);
+		return this.settings[field].showValue(room, forceShow);
+	};
+	this.cancelEditing = (field) => {
+		const { cancelEditing } = this.settings[field];
+		cancelEditing && cancelEditing.call(this.settings[field]);
+		this.editing.set();
 	};
 });
diff --git a/packages/rocketchat-lib/package.js b/packages/rocketchat-lib/package.js
index 7be42499e08a..f0e2fb5b6a72 100644
--- a/packages/rocketchat-lib/package.js
+++ b/packages/rocketchat-lib/package.js
@@ -152,6 +152,7 @@ Package.onUse(function(api) {
 	api.addFiles('server/methods/filterATAllTag.js', 'server');
 	api.addFiles('server/methods/getChannelHistory.js', 'server');
 	api.addFiles('server/methods/getFullUserData.js', 'server');
+	api.addFiles('server/methods/getRoomJoinCode.js', 'server');
 	api.addFiles('server/methods/getRoomRoles.js', 'server');
 	api.addFiles('server/methods/getServerInfo.js', 'server');
 	api.addFiles('server/methods/getSingleMessage.js', 'server');
diff --git a/packages/rocketchat-lib/server/methods/getRoomJoinCode.js b/packages/rocketchat-lib/server/methods/getRoomJoinCode.js
new file mode 100644
index 000000000000..fe127a084e9c
--- /dev/null
+++ b/packages/rocketchat-lib/server/methods/getRoomJoinCode.js
@@ -0,0 +1,17 @@
+Meteor.methods({
+	getRoomJoinCode(rid) {
+		check(rid, String);
+
+		if (!Meteor.userId()) {
+			throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'getJoinCode' });
+		}
+
+		if (!RocketChat.authz.hasPermission(Meteor.userId(), 'view-join-code')) {
+			throw new Meteor.Error('error-not-authorized', 'Not authorized', { method: 'getJoinCode' });
+		}
+
+		const [ room ] = RocketChat.models.Rooms.findById(rid).fetch();
+
+		return room && room.joinCode;
+	}
+});
diff --git a/packages/rocketchat-theme/server/colors.less b/packages/rocketchat-theme/server/colors.less
index 1f381243b80d..627cea3d8e3f 100755
--- a/packages/rocketchat-theme/server/colors.less
+++ b/packages/rocketchat-theme/server/colors.less
@@ -714,7 +714,7 @@ input:-webkit-autofill {
 			}
 		}
 
-		.button.edit {
+		.button {
 			.buttonColors(lighten(@primary-font-color, 25%), @secondary-background-color);
 		}
 
diff --git a/server/publications/room.js b/server/publications/room.js
index 047a9318b87a..90d60a340e24 100644
--- a/server/publications/room.js
+++ b/server/publications/room.js
@@ -38,14 +38,7 @@ const roomMap = (record, fields) => {
 	return {};
 };
 
-function getFieldsForUserId(userId) {
-	if (RocketChat.authz.hasPermission(userId, 'view-join-code')) {
-		return {
-			...fields,
-			joinCode: 1
-		};
-	}
-
+function getFieldsForUserId(/*userId*/) {
 	return fields;
 }
 
diff --git a/server/startup/roomPublishes.js b/server/startup/roomPublishes.js
index 0bf9e17c0f38..4c310142388e 100644
--- a/server/startup/roomPublishes.js
+++ b/server/startup/roomPublishes.js
@@ -20,10 +20,6 @@ Meteor.startup(function() {
 			}
 		};
 
-		if (RocketChat.authz.hasPermission(this.userId, 'view-join-code')) {
-			options.fields.joinCode = 1;
-		}
-
 		if (RocketChat.authz.hasPermission(this.userId, 'view-c-room')) {
 			return RocketChat.models.Rooms.findByTypeAndName('c', identifier, options);
 		} else if (RocketChat.authz.hasPermission(this.userId, 'view-joined-room')) {