[SECURITY] realtime api receives events for channels they have been removed from.

[svenwiltink]

Description:

When you connect to RocketChat using the realtime api and subscribe to messages in a room you still receive events from the channel after you have been kicked and you can still send messages.

Steps to reproduce:

Connect to the realtime api
join a channel
subscribe to messages using stream-room-messages and the RoomID
kick the client from the channel using /kick @username

Expected behavior:

Don't allow the client to send messaged and don't send events to the subscription.

Actual behavior:

The client continues to receive events and can still send messages:

2018/07/03 12:28:04 <- {"msg":"changed","collection":"stream-notify-user","id":"id","fields":{"eventName":"NvGeSeJPt7ZwkpuxL/rooms-changed","args":["updated",{"_id":"erG9QAHWqjhwSue2E","name":"kane","fname":"kane","t":"c","u":{"_id":"27GQqRbPD2ycqBup2","username":"swiltink"},"_updatedAt":{"$date":1530613684521},"customFields":{},"lastMessage":{"msg":"damn it","rid":"erG9QAHWqjhwSue2E","ts":{"$date":1530613678913},"u":{"_id":"NvGeSeJPt7ZwkpuxL","username":"musicbot","name":"musicbot"},"mentions":[],"channels":[],"_updatedAt":{"$date":1530613678915},"_id":"2xbW6kXHXRyaPrtDd","sandstormSessionId":null},"ro":false,"sysMes":true}]}}

// here the client receives the channel kicked event 
2018/07/03 12:28:04 <- {"msg":"changed","collection":"stream-notify-user","id":"id","fields":{"eventName":"NvGeSeJPt7ZwkpuxL/rooms-changed","args":["removed",{"_id":"erG9QAHWqjhwSue2E","name":"kane","fname":"kane","t":"c","u":{"_id":"27GQqRbPD2ycqBup2","username":"swiltink"},"_updatedAt":{"$date":1530613684521},"customFields":{},"lastMessage":{"msg":"damn it","rid":"erG9QAHWqjhwSue2E","ts":{"$date":1530613678913},"u":{"_id":"NvGeSeJPt7ZwkpuxL","username":"musicbot","name":"musicbot"},"mentions":[],"channels":[],"_updatedAt":{"$date":1530613678915},"_id":"2xbW6kXHXRyaPrtDd","sandstormSessionId":null},"ro":false,"sysMes":true}]}}
2018/07/03 12:28:04 <- {"msg":"changed","collection":"stream-room-messages","id":"id","fields":{"eventName":"erG9QAHWqjhwSue2E","args":[{"_id":"L9u4ZP7MejaCTqWjh","t":"ru","rid":"erG9QAHWqjhwSue2E","ts":{"$date":1530613684544},"msg":"musicbot","u":{"_id":"27GQqRbPD2ycqBup2","username":"swiltink"},"groupable":false,"_updatedAt":{"$date":1530613684544}}]}}

// the client tries to respond with a message and succeeds
2018/07/03 12:28:04 -> {"msg":"method","id":"8","method":"sendMessage","params":[{"msg":"damn it","rid":"erG9QAHWqjhwSue2E"}]}
2018/07/03 12:28:04 <- {"msg":"changed","collection":"stream-room-messages","id":"id","fields":{"eventName":"erG9QAHWqjhwSue2E","args":[{"_id":"okguEecazFL4i2YbW","msg":"damn it","rid":"erG9QAHWqjhwSue2E","ts":{"$date":1530613684554},"u":{"_id":"NvGeSeJPt7ZwkpuxL","username":"musicbot","name":"musicbot"},"mentions":[],"channels":[],"_updatedAt":{"$date":1530613684556}}]}}
2018/07/03 12:28:04 <- {"msg":"result","id":"8","result":{"msg":"damn it","rid":"erG9QAHWqjhwSue2E","ts":{"$date":1530613684554},"u":{"_id":"NvGeSeJPt7ZwkpuxL","username":"musicbot","name":"musicbot"},"mentions":[],"channels":[],"_updatedAt":{"$date":1530613684556},"_id":"okguEecazFL4i2YbW"}}
2018/07/03 12:28:04 <- {"msg":"updated","methods":["8"]}
2018/07/03 12:28:04 &{okguEecazFL4i2YbW  {{554000000 63666210484 <nil>}} damn it [] {{0 0 <nil>}} [] 0xc420127620 erG9QAHWqjhwSue2E}

// the client has been kicked and continues to receive events after this point. It can also still send messages

2018/07/03 12:28:13 <- {"msg":"changed","collection":"stream-room-messages","id":"id","fields":{"eventName":"erG9QAHWqjhwSue2E","args":[{"_id":"cenXhQgqDjpMEApvj","rid":"erG9QAHWqjhwSue2E","msg":"hallo?","ts":{"$date":1530613693140},"u":{"_id":"27GQqRbPD2ycqBup2","username":"swiltink","name":"banaan"},"mentions":[],"channels":[],"_updatedAt":{"$date":1530613693142}}]}}
2018/07/03 12:28:13 &{cenXhQgqDjpMEApvj  {{140000000 63666210493 <nil>}} hallo? [] {{0 0 <nil>}} [] 0xc420127650 erG9QAHWqjhwSue2E}
2018/07/03 12:28:13 -> {"msg":"method","id":"9","method":"sendMessage","params":[{"msg":"damn it","rid":"erG9QAHWqjhwSue2E"}]}
2018/07/03 12:28:13 <- {"msg":"updated","methods":["9"]}
2018/07/03 12:28:13 <- {"msg":"result","id":"9","result":{"msg":"damn it","rid":"erG9QAHWqjhwSue2E","ts":{"$date":1530613693159},"u":{"_id":"NvGeSeJPt7ZwkpuxL","username":"musicbot","name":"musicbot"},"mentions":[],"channels":[],"_updatedAt":{"$date":1530613693161},"_id":"qKAuDWrPSeBMhF6vc"}}
2018/07/03 12:28:13 <- {"msg":"changed","collection":"stream-room-messages","id":"id","fields":{"eventName":"erG9QAHWqjhwSue2E","args":[{"_id":"qKAuDWrPSeBMhF6vc","msg":"damn it","rid":"erG9QAHWqjhwSue2E","ts":{"$date":1530613693159},"u":{"_id":"NvGeSeJPt7ZwkpuxL","username":"musicbot","name":"musicbot"},"mentions":[],"channels":[],"_updatedAt":{"$date":1530613693161}}]}}
2018/07/03 12:28:13 &{qKAuDWrPSeBMhF6vc  {{159000000 63666210493 <nil>}} damn it [] {{0 0 <nil>}} [] 0xc42040c1e0 erG9QAHWqjhwSue2E}

Server Setup Information:

• Version of Rocket.Chat Server: 0.65.1
• Operating System: ubuntu 18.04
• Deployment Method: snap
• Number of Running Instances: 1
• DB Replicaset Oplog: ?
• NodeJS Version: 8.11.2
• MongoDB Version: 3.2.7

[svenwiltink]

fixed by #15389