From 5a74a5c164ce54e8e0d3a52ef7c48d395ae88383 Mon Sep 17 00:00:00 2001
From: Murtaza Patrawala <34130764+murtaza98@users.noreply.github.com>
Date: Thu, 9 Jun 2022 20:07:39 +0530
Subject: [PATCH] [FIX] Voip endpoint permissions (#25783)

<!-- This is a pull request template, you do not need to uncomment or remove the comments, they won't show up in the PR text. -->

<!-- Your Pull Request name should start with one of the following tags
  [NEW] For new features
  [IMPROVE] For an improvement (performance or little improvements) in existing features
  [FIX] For bug fixes that affect the end-user
  [BREAK] For pull requests including breaking changes
  Chore: For small tasks
  Doc: For documentation
-->

<!-- Checklist!!! If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.
  - I have read the Contributing Guide - https://github.com/RocketChat/Rocket.Chat/blob/develop/.github/CONTRIBUTING.md#contributing-to-rocketchat doc
  - I have signed the CLA - https://cla-assistant.io/RocketChat/Rocket.Chat
  - Lint and unit tests pass locally with my changes
  - I have added tests that prove my fix is effective or that my feature works (if applicable)
  - I have added necessary documentation (if applicable)
  - Any dependent changes have been merged and published in downstream modules
-->

## Proposed changes (including videos or screenshots)
<!-- CHANGELOG -->
<!--
  Describe the big picture of your changes here to communicate to the maintainers why we should accept this pull request.
  If it fixes a bug or resolves a feature request, be sure to link to that issue below.
  This description will appear in the release notes if we accept the contribution.
-->

<!-- END CHANGELOG -->

## Issue(s)
<!-- Link the issues being closed by or related to this PR. For example, you can use #594 if this PR closes issue number 594 -->
Earlier we didn't check for any permissions while creating or closing VoIP room. This new PR will enforce those permission checks
## Steps to test or reproduce
<!-- Mention how you would reproduce the bug if not mentioned on the issue page already. Also mention which screens are going to have the changes if applicable -->

## Further comments
<!-- If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc... -->
---
 apps/meteor/app/api/server/v1/voip/rooms.ts     | 8 ++++++--
 apps/meteor/tests/end-to-end/api/02-channels.js | 2 ++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/apps/meteor/app/api/server/v1/voip/rooms.ts b/apps/meteor/app/api/server/v1/voip/rooms.ts
index f04feaf0e084..79e77c607972 100644
--- a/apps/meteor/app/api/server/v1/voip/rooms.ts
+++ b/apps/meteor/app/api/server/v1/voip/rooms.ts
@@ -82,7 +82,11 @@ const parseAndValidate = (property: string, date?: string): DateParam => {
 
 API.v1.addRoute(
 	'voip/room',
-	{ authRequired: false, rateLimiterOptions: { numRequestsAllowed: 5, intervalTimeInMS: 60000 } },
+	{
+		authRequired: true,
+		rateLimiterOptions: { numRequestsAllowed: 5, intervalTimeInMS: 60000 },
+		permissionsRequired: ['inbound-voip-calls'],
+	},
 	{
 		async get() {
 			const defaultCheckParams = {
@@ -212,7 +216,7 @@ API.v1.addRoute(
  */
 API.v1.addRoute(
 	'voip/room.close',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['inbound-voip-calls'] },
 	{
 		async post() {
 			check(this.bodyParams, {
diff --git a/apps/meteor/tests/end-to-end/api/02-channels.js b/apps/meteor/tests/end-to-end/api/02-channels.js
index 80e7435c8e8f..5469295f68bd 100644
--- a/apps/meteor/tests/end-to-end/api/02-channels.js
+++ b/apps/meteor/tests/end-to-end/api/02-channels.js
@@ -305,11 +305,13 @@ describe('[Channels]', function () {
 		before(() => updateSetting('VoIP_Enabled', true));
 		const createVoipRoom = async () => {
 			const testUser = await createUser({ roles: ['user', 'livechat-agent'] });
+			const testUserCredentials = await login(testUser.username, password);
 			const visitor = await createVisitor();
 			const roomResponse = await createRoom({
 				token: visitor.token,
 				type: 'v',
 				agentId: testUser._id,
+				credentials: testUserCredentials,
 			});
 			return roomResponse.body.room;
 		};