chore: Improve permissions check on instances endpoints (#32334)

RocketChat · May 15, 2024 · 4ca1ada · 4ca1ada
1 parent e9d5829
commit 4ca1ada
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 7 deletions.
diff --git a/apps/meteor/app/api/server/v1/instances.ts b/apps/meteor/app/api/server/v1/instances.ts
@@ -1,7 +1,6 @@
 import { InstanceStatus } from '@rocket.chat/models';
 
 import { isRunningMs } from '../../../../server/lib/isRunningMs';
-import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { API } from '../api';
 import { getInstanceList } from '../helpers/getInstanceList';
 
@@ -15,13 +14,9 @@ const getConnections = (() => {
 
 API.v1.addRoute(
 	'instances.get',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['view-statistics'] },
 	{
 		async get() {
-			if (!(await hasPermissionAsync(this.userId, 'view-statistics'))) {
-				return API.v1.unauthorized();
-			}
-
 			const instanceRecords = await InstanceStatus.find().toArray();
 
 			const connections = await getConnections();

diff --git a/apps/meteor/tests/end-to-end/api/00-miscellaneous.js b/apps/meteor/tests/end-to-end/api/00-miscellaneous.js
@@ -536,7 +536,7 @@ describe('miscellaneous', function () {
 				.expect(403)
 				.expect((res) => {
 					expect(res.body).to.have.property('success', false);
-					expect(res.body).to.have.property('error', 'unauthorized');
+					expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
 				})
 				.end(done);
 		});