getRoomRoles Method leaks Channel Owner

## Summary Lack of ACL checks in the `getRoomRoles` Meteor method leak channel members with special roles to unauthorized clients. ## Description Lack of ACL checks in the [`getRoomRoles` Meteor method](https://github.com/RocketChat/Rocket.Chat/blob/a06e811ceeef6f674ff8c38e49ddcf0f476d9683/app/lib/server/methods/getRoomRoles.js#L8-L18) allow unauthorized clients to query channel members with special roles: ```javascript Meteor.methods({ getRoomRoles(rid) { check(rid, String); if (!Meteor.userId() && settings.get('Accounts_AllowAnonymousRead') === false) { throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'getRoomRoles' }); } check(rid, String); return getRoomRoles(rid); }, }); ``` The `rid` argument must be a String but is not further validated. ## Releases Affected: * 4.3.1 * 3.18.3 * develop ## Steps To Reproduce (from initial installation to vulnerability): 1. Open Rocket.Chat 2. (Optional) Login as low-privileged user 3. Query `getRoomRoles` Meteor method with target Room ID ## Supporting Material/References: ### Proof of Concept ```javascript const TARGET_ROOM_ID = "<ROOM_ID>"; Meteor.call("getRoomRoles", TARGET_ROOM_ID, console.log); ``` ## Suggested mitigation * Check for the users access to the channel with given Room ID `rid`. ## Impact Unauthorized clients can leak members with special permission of private channels. ## Fix Fixed in versions 4.7.5, 4.8,2 and 5.0.0>