chore!: Improve permissions check on permissions endpoints (#32343)

RocketChat · May 15, 2024 · 1ec86c0 · 1ec86c0
1 parent 9c4ca83
commit 1ec86c0
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 6 deletions.
diff --git a/apps/meteor/app/api/server/v1/permissions.ts b/apps/meteor/app/api/server/v1/permissions.ts
@@ -3,7 +3,6 @@ import { Permissions, Roles } from '@rocket.chat/models';
 import { isBodyParamsValidPermissionUpdate } from '@rocket.chat/rest-typings';
 import { Meteor } from 'meteor/meteor';
 
-import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { notifyOnPermissionChangedById } from '../../../lib/server/lib/notifyListener';
 import { API } from '../api';
 
@@ -41,13 +40,9 @@ API.v1.addRoute(
 
 API.v1.addRoute(
 	'permissions.update',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['access-permissions'] },
 	{
 		async post() {
-			if (!(await hasPermissionAsync(this.userId, 'access-permissions'))) {
-				return API.v1.failure('Editing permissions is not allowed', 'error-edit-permissions-not-allowed');
-			}
-
 			const { bodyParams } = this;
 
 			if (!isBodyParamsValidPermissionUpdate(bodyParams)) {

diff --git a/apps/meteor/tests/end-to-end/api/11-permissions.js b/apps/meteor/tests/end-to-end/api/11-permissions.js
@@ -3,6 +3,8 @@ import { before, describe, it, after } from 'mocha';
 
 import { getCredentials, api, request, credentials } from '../../data/api-data.js';
 import { updatePermission } from '../../data/permissions.helper';
+import { password } from '../../data/user';
+import { createUser, deleteUser, login } from '../../data/users.helper.js';
 
 describe('[Permissions]', function () {
 	this.retries(0);
@@ -54,6 +56,19 @@ describe('[Permissions]', function () {
 	});
 
 	describe('[/permissions.update]', () => {
+		let testUser;
+		let testUserCredentials;
+		before(async () => {
+			testUser = await createUser();
+			testUserCredentials = await login(testUser.username, password);
+			await updatePermission('access-permissions', ['admin']);
+		});
+
+		after(async () => {
+			await updatePermission('access-permissions', ['admin']);
+			await deleteUser(testUser);
+		});
+
 		it('should change the permissions on the server', (done) => {
 			const permissions = [
 				{
@@ -127,5 +142,23 @@ describe('[Permissions]', function () {
 				})
 				.end(done);
 		});
+		it('should fail updating permission if user does NOT have the access-permissions permission', async () => {
+			const permissions = [
+				{
+					_id: 'add-oauth-service',
+					roles: ['admin', 'user'],
+				},
+			];
+			await request
+				.post(api('permissions.update'))
+				.set(testUserCredentials)
+				.send({ permissions })
+				.expect('Content-Type', 'application/json')
+				.expect(403)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
+				});
+		});
 	});
 });