From 75f0ae31d9c6b6962762d8684e7d743395566188 Mon Sep 17 00:00:00 2001
From: Kevin Aleman <kaleman960@gmail.com>
Date: Fri, 6 Oct 2023 11:27:15 -0600
Subject: [PATCH] fix: Remove monitors query restrictions on update (#30550)

---
 .changeset/dull-trainers-drive.md             |  5 ++++
 .../app/livechat/server/lib/Livechat.js       |  2 +-
 .../hooks/applyDepartmentRestrictions.ts      |  9 +++---
 .../server/hooks/applyRoomRestrictions.ts     |  2 ++
 .../server/methods/getUnitsFromUserRoles.ts   | 30 ++++++++++++++-----
 .../ee/server/models/raw/LivechatRooms.ts     | 27 -----------------
 .../ee/server/models/raw/LivechatUnit.ts      |  9 ------
 .../meteor/server/models/raw/LivechatRooms.ts | 15 ----------
 8 files changed, 36 insertions(+), 63 deletions(-)
 create mode 100644 .changeset/dull-trainers-drive.md

diff --git a/.changeset/dull-trainers-drive.md b/.changeset/dull-trainers-drive.md
new file mode 100644
index 000000000000..f5a673cd8c30
--- /dev/null
+++ b/.changeset/dull-trainers-drive.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+fix: Remove model-level query restrictions for monitors
diff --git a/apps/meteor/app/livechat/server/lib/Livechat.js b/apps/meteor/app/livechat/server/lib/Livechat.js
index ffd3a29b229f..c560f3dd7aa7 100644
--- a/apps/meteor/app/livechat/server/lib/Livechat.js
+++ b/apps/meteor/app/livechat/server/lib/Livechat.js
@@ -285,7 +285,7 @@ export const Livechat = {
 		Livechat.logger.debug(`Closing open chats for user ${userId}`);
 		const user = await Users.findOneById(userId);
 
-		const extraQuery = await callbacks.run('livechat.applyDepartmentRestrictions', {});
+		const extraQuery = await callbacks.run('livechat.applyDepartmentRestrictions', {}, { userId });
 		const openChats = LivechatRooms.findOpenByAgent(userId, extraQuery);
 		const promises = [];
 		await openChats.forEach((room) => {
diff --git a/apps/meteor/ee/app/livechat-enterprise/server/hooks/applyDepartmentRestrictions.ts b/apps/meteor/ee/app/livechat-enterprise/server/hooks/applyDepartmentRestrictions.ts
index 3c96cad39b72..d609d8464b04 100644
--- a/apps/meteor/ee/app/livechat-enterprise/server/hooks/applyDepartmentRestrictions.ts
+++ b/apps/meteor/ee/app/livechat-enterprise/server/hooks/applyDepartmentRestrictions.ts
@@ -4,16 +4,17 @@ import type { FilterOperators } from 'mongodb';
 import { hasRoleAsync } from '../../../../../app/authorization/server/functions/hasRole';
 import { callbacks } from '../../../../../lib/callbacks';
 import { cbLogger } from '../lib/logger';
-import { getUnitsFromUser } from '../lib/units';
+import { getUnitsFromUser } from '../methods/getUnitsFromUserRoles';
 
-export const addQueryRestrictionsToDepartmentsModel = async (originalQuery: FilterOperators<ILivechatDepartment> = {}) => {
+export const addQueryRestrictionsToDepartmentsModel = async (originalQuery: FilterOperators<ILivechatDepartment> = {}, userId: string) => {
 	const query: FilterOperators<ILivechatDepartment> = { ...originalQuery, type: { $ne: 'u' } };
 
-	const units = await getUnitsFromUser();
+	const units = await getUnitsFromUser(userId);
 	if (Array.isArray(units)) {
 		query.ancestors = { $in: units };
 	}
 
+	cbLogger.debug({ msg: 'Applying department query restrictions', userId, units });
 	return query;
 };
 
@@ -25,7 +26,7 @@ callbacks.add(
 		}
 
 		cbLogger.debug('Applying department query restrictions');
-		return addQueryRestrictionsToDepartmentsModel(originalQuery);
+		return addQueryRestrictionsToDepartmentsModel(originalQuery, userId);
 	},
 	callbacks.priority.HIGH,
 	'livechat-apply-department-restrictions',
diff --git a/apps/meteor/ee/app/livechat-enterprise/server/hooks/applyRoomRestrictions.ts b/apps/meteor/ee/app/livechat-enterprise/server/hooks/applyRoomRestrictions.ts
index 1a18b92dc94d..597a7546e99a 100644
--- a/apps/meteor/ee/app/livechat-enterprise/server/hooks/applyRoomRestrictions.ts
+++ b/apps/meteor/ee/app/livechat-enterprise/server/hooks/applyRoomRestrictions.ts
@@ -3,6 +3,7 @@ import { LivechatDepartment } from '@rocket.chat/models';
 import type { FilterOperators } from 'mongodb';
 
 import { callbacks } from '../../../../../lib/callbacks';
+import { cbLogger } from '../lib/logger';
 import { getUnitsFromUser } from '../lib/units';
 
 export const restrictQuery = async (originalQuery: FilterOperators<IOmnichannelRoom> = {}) => {
@@ -20,6 +21,7 @@ export const restrictQuery = async (originalQuery: FilterOperators<IOmnichannelR
 	};
 	query.$and = [condition, ...expressions];
 
+	cbLogger.debug({ msg: 'Applying room query restrictions', units });
 	return query;
 };
 
diff --git a/apps/meteor/ee/app/livechat-enterprise/server/methods/getUnitsFromUserRoles.ts b/apps/meteor/ee/app/livechat-enterprise/server/methods/getUnitsFromUserRoles.ts
index dd0f3867f574..47929f384d8f 100644
--- a/apps/meteor/ee/app/livechat-enterprise/server/methods/getUnitsFromUserRoles.ts
+++ b/apps/meteor/ee/app/livechat-enterprise/server/methods/getUnitsFromUserRoles.ts
@@ -1,11 +1,23 @@
-import { LivechatUnit } from '@rocket.chat/models';
+import { LivechatUnit, LivechatDepartmentAgents } from '@rocket.chat/models';
 import type { ServerMethods } from '@rocket.chat/ui-contexts';
 import mem from 'mem';
 import { Meteor } from 'meteor/meteor';
 
 import { hasAnyRoleAsync } from '../../../../../app/authorization/server/functions/hasRole';
+import { logger } from '../lib/logger';
 
-async function getUnitsFromUserRoles(user: string | null): Promise<string[] | undefined> {
+async function getUnitsFromUserRoles(user: string): Promise<string[]> {
+	return LivechatUnit.findByMonitorId(user);
+}
+
+async function getDepartmentsFromUserRoles(user: string): Promise<string[]> {
+	return (await LivechatDepartmentAgents.findByAgentId(user).toArray()).map((department) => department.departmentId);
+}
+
+const memoizedGetUnitFromUserRoles = mem(getUnitsFromUserRoles, { maxAge: 10000 });
+const memoizedGetDepartmentsFromUserRoles = mem(getDepartmentsFromUserRoles, { maxAge: 5000 });
+
+export const getUnitsFromUser = async (user: string): Promise<string[] | undefined> => {
 	if (!user || (await hasAnyRoleAsync(user, ['admin', 'livechat-manager']))) {
 		return;
 	}
@@ -14,10 +26,11 @@ async function getUnitsFromUserRoles(user: string | null): Promise<string[] | un
 		return;
 	}
 
-	return LivechatUnit.findByMonitorId(user);
-}
+	const unitsAndDepartments = [...(await memoizedGetUnitFromUserRoles(user)), ...(await memoizedGetDepartmentsFromUserRoles(user))];
+	logger.debug({ msg: 'Calculating units for monitor', user, unitsAndDepartments });
 
-const memoizedGetUnitFromUserRoles = mem(getUnitsFromUserRoles, { maxAge: 10000 });
+	return unitsAndDepartments;
+};
 
 declare module '@rocket.chat/ui-contexts' {
 	// eslint-disable-next-line @typescript-eslint/naming-convention
@@ -27,8 +40,11 @@ declare module '@rocket.chat/ui-contexts' {
 }
 
 Meteor.methods<ServerMethods>({
-	'livechat:getUnitsFromUser'(): Promise<string[] | undefined> {
+	async 'livechat:getUnitsFromUser'(): Promise<string[] | undefined> {
 		const user = Meteor.userId();
-		return memoizedGetUnitFromUserRoles(user);
+		if (!user) {
+			return;
+		}
+		return getUnitsFromUser(user);
 	},
 });
diff --git a/apps/meteor/ee/server/models/raw/LivechatRooms.ts b/apps/meteor/ee/server/models/raw/LivechatRooms.ts
index b39e3d9eacfa..3295af1b6179 100644
--- a/apps/meteor/ee/server/models/raw/LivechatRooms.ts
+++ b/apps/meteor/ee/server/models/raw/LivechatRooms.ts
@@ -11,7 +11,6 @@ import type { FindCursor, UpdateResult, Document, FindOptions, Db, Collection, F
 
 import { readSecondaryPreferred } from '../../../../server/database/readSecondaryPreferred';
 import { LivechatRoomsRaw } from '../../../../server/models/raw/LivechatRooms';
-import { addQueryRestrictionsToRoomsModel } from '../../../app/livechat-enterprise/server/lib/query.helper';
 
 declare module '@rocket.chat/model-typings' {
 	interface ILivechatRoomsModel {
@@ -296,32 +295,6 @@ export class LivechatRoomsRawEE extends LivechatRoomsRaw implements ILivechatRoo
 		return this.updateOne(query, update);
 	}
 
-	/** @deprecated Use updateOne or updateMany instead */
-	async update(...args: Parameters<LivechatRoomsRaw['update']>) {
-		const [query, ...restArgs] = args;
-		const restrictedQuery = await addQueryRestrictionsToRoomsModel(query);
-		return super.update(restrictedQuery, ...restArgs);
-	}
-
-	async updateOne(...args: [...Parameters<LivechatRoomsRaw['updateOne']>, { bypassUnits?: boolean }?]) {
-		const [query, update, opts, extraOpts] = args;
-		if (extraOpts?.bypassUnits) {
-			// When calling updateOne from a service, we cannot call the meteor code inside the query restrictions
-			// So the solution now is to pass a bypassUnits flag to the updateOne method which prevents checking
-			// units restrictions on the query, but just for the query the service is actually using
-			// We need to find a way of remove the meteor dependency when fetching units, and then, we can remove this flag
-			return super.updateOne(query, update, opts);
-		}
-		const restrictedQuery = await addQueryRestrictionsToRoomsModel(query);
-		return super.updateOne(restrictedQuery, update, opts);
-	}
-
-	async updateMany(...args: Parameters<LivechatRoomsRaw['updateMany']>) {
-		const [query, ...restArgs] = args;
-		const restrictedQuery = await addQueryRestrictionsToRoomsModel(query);
-		return super.updateMany(restrictedQuery, ...restArgs);
-	}
-
 	getConversationsBySource(start: Date, end: Date, extraQuery: Filter<IOmnichannelRoom>): AggregationCursor<ReportResult> {
 		return this.col.aggregate(
 			[
diff --git a/apps/meteor/ee/server/models/raw/LivechatUnit.ts b/apps/meteor/ee/server/models/raw/LivechatUnit.ts
index 180b145e4352..fcabf12fa4f8 100644
--- a/apps/meteor/ee/server/models/raw/LivechatUnit.ts
+++ b/apps/meteor/ee/server/models/raw/LivechatUnit.ts
@@ -51,15 +51,6 @@ export class LivechatUnitRaw extends BaseRaw<IOmnichannelBusinessUnit> implement
 		return this.col.findOne(query, options);
 	}
 
-	async update(
-		originalQuery: Filter<IOmnichannelBusinessUnit>,
-		update: Filter<IOmnichannelBusinessUnit>,
-		options: FindOptions<IOmnichannelBusinessUnit>,
-	): Promise<UpdateResult> {
-		const query = await addQueryRestrictions(originalQuery);
-		return this.col.updateOne(query, update, options);
-	}
-
 	remove(query: Filter<IOmnichannelBusinessUnit>): Promise<DeleteResult> {
 		return this.deleteMany(query);
 	}
diff --git a/apps/meteor/server/models/raw/LivechatRooms.ts b/apps/meteor/server/models/raw/LivechatRooms.ts
index bf44a51b7f64..974c2b5cb570 100644
--- a/apps/meteor/server/models/raw/LivechatRooms.ts
+++ b/apps/meteor/server/models/raw/LivechatRooms.ts
@@ -1518,11 +1518,6 @@ export class LivechatRoomsRaw extends BaseRaw<IOmnichannelRoom> implements ILive
 			{
 				$set: { pdfTranscriptRequested: true },
 			},
-			{},
-			// @ts-expect-error - extra arg not on base types
-			{
-				bypassUnits: true,
-			},
 		);
 	}
 
@@ -1534,11 +1529,6 @@ export class LivechatRoomsRaw extends BaseRaw<IOmnichannelRoom> implements ILive
 			{
 				$unset: { pdfTranscriptRequested: 1 },
 			},
-			{},
-			// @ts-expect-error - extra arg not on base types
-			{
-				bypassUnits: true,
-			},
 		);
 	}
 
@@ -1550,11 +1540,6 @@ export class LivechatRoomsRaw extends BaseRaw<IOmnichannelRoom> implements ILive
 			{
 				$set: { pdfTranscriptFileId: fileId },
 			},
-			{},
-			// @ts-expect-error - extra arg not on base types
-			{
-				bypassUnits: true,
-			},
 		);
 	}