diff --git a/packages/rocketchat-message-pin/server/pinMessage.js b/packages/rocketchat-message-pin/server/pinMessage.js
index c4e7bed921e2..f5d64328c039 100644
--- a/packages/rocketchat-message-pin/server/pinMessage.js
+++ b/packages/rocketchat-message-pin/server/pinMessage.js
@@ -37,6 +37,10 @@ Meteor.methods({
 			});
 		}
 
+		if (!RocketChat.authz.hasPermission(Meteor.userId(), 'pin-message')) {
+			throw new Meteor.Error('not-authorized', 'Not Authorized', { method: 'pinMessage' });
+		}
+
 		const subscription = RocketChat.models.Subscriptions.findOneByRoomIdAndUserId(message.rid, Meteor.userId(), { fields: { _id: 1 } });
 		if (!subscription) {
 			return false;
@@ -115,6 +119,10 @@ Meteor.methods({
 			});
 		}
 
+		if (!RocketChat.authz.hasPermission(Meteor.userId(), 'pin-message')) {
+			throw new Meteor.Error('not-authorized', 'Not Authorized', { method: 'pinMessage' });
+		}
+
 		const subscription = RocketChat.models.Subscriptions.findOneByRoomIdAndUserId(message.rid, Meteor.userId(), { fields: { _id: 1 } });
 		if (!subscription) {
 			return false;
diff --git a/tests/data/permissions.helper.js b/tests/data/permissions.helper.js
index 5a7d3218da4c..8fafa591a9d0 100644
--- a/tests/data/permissions.helper.js
+++ b/tests/data/permissions.helper.js
@@ -8,3 +8,12 @@ export const updatePermission = (permission, roles) => new Promise((resolve) =>
 		.expect(200)
 		.end(resolve);
 });
+
+export const updateSetting = (setting, value) => new Promise((resolve) => {
+	request.post(`/api/v1/settings/${ setting }`)
+		.set(credentials)
+		.send({ value })
+		.expect('Content-Type', 'application/json')
+		.expect(200)
+		.end(resolve);
+});
diff --git a/tests/end-to-end/api/01-users.js b/tests/end-to-end/api/01-users.js
index 30bdb85563e5..7ac042036661 100644
--- a/tests/end-to-end/api/01-users.js
+++ b/tests/end-to-end/api/01-users.js
@@ -12,30 +12,7 @@ import {
 import { adminEmail, preferences, password, adminUsername } from '../../data/user.js';
 import { imgURL } from '../../data/interactions.js';
 import { customFieldText, clearCustomFields, setCustomFields } from '../../data/custom-fields.js';
-
-const updatePermission = (permission, roles) => new Promise((resolve) => {
-	request.post(api('permissions.update'))
-		.set(credentials)
-		.send({ permissions: [{ _id: permission, roles }] })
-		.expect('Content-Type', 'application/json')
-		.expect(200)
-		.expect((res) => {
-			expect(res.body).to.have.property('success', true);
-		})
-		.end(resolve);
-});
-
-const updateSetting = (setting, value) => new Promise((resolve) => {
-	request.post(`/api/v1/settings/${ setting }`)
-		.set(credentials)
-		.send({ value })
-		.expect('Content-Type', 'application/json')
-		.expect(200)
-		.expect((res) => {
-			expect(res.body).to.have.property('success', true);
-		})
-		.end(resolve);
-});
+import { updatePermission, updateSetting } from '../../data/permissions.helper';
 
 describe('[Users]', function() {
 	this.retries(0);
diff --git a/tests/end-to-end/api/05-chat.js b/tests/end-to-end/api/05-chat.js
index 4dc52880cd15..3006dc8982d4 100644
--- a/tests/end-to-end/api/05-chat.js
+++ b/tests/end-to-end/api/05-chat.js
@@ -8,6 +8,7 @@ import {
 import { password } from '../../data/user';
 import { createRoom } from '../../data/rooms.helper.js';
 import { sendSimpleMessage, deleteMessage } from '../../data/chat.helper.js';
+import { updatePermission, updateSetting } from '../../data/permissions.helper';
 
 describe('[Chat]', function() {
 	this.retries(0);
@@ -789,4 +790,113 @@ describe('[Chat]', function() {
 		});
 	});
 
+	describe('[/chat.pinMessage]', () => {
+		it('should return an error when pinMessage is not allowed in this server', (done) => {
+			updateSetting('Message_AllowPinning', false).then(() => {
+				request.post(api('chat.pinMessage'))
+					.set(credentials)
+					.send({
+						messageId: message._id,
+					})
+					.expect('Content-Type', 'application/json')
+					.expect(400)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', false);
+						expect(res.body).to.have.property('error');
+					})
+					.end(done);
+			});
+		});
+
+		it('should return an error when pinMessage is allowed in server but user dont have permission', (done) => {
+			updateSetting('Message_AllowPinning', true).then(() => {
+				updatePermission('pin-message', []).then(() => {
+					request.post(api('chat.pinMessage'))
+						.set(credentials)
+						.send({
+							messageId: message._id,
+						})
+						.expect('Content-Type', 'application/json')
+						.expect(400)
+						.expect((res) => {
+							expect(res.body).to.have.property('success', false);
+							expect(res.body).to.have.property('error');
+						})
+						.end(done);
+				});
+			});
+		});
+
+		it('should pin Message successfully', (done) => {
+			updatePermission('pin-message', ['admin']).then(() => {
+				request.post(api('chat.pinMessage'))
+					.set(credentials)
+					.send({
+						messageId: message._id,
+					})
+					.expect('Content-Type', 'application/json')
+					.expect(200)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', true);
+						expect(res.body).to.not.have.property('error');
+					})
+					.end(done);
+			});
+		});
+	});
+
+	describe('[/chat.unPinMessage]', () => {
+		it('should return an error when pinMessage is not allowed in this server', (done) => {
+			updateSetting('Message_AllowPinning', false).then(() => {
+				request.post(api('chat.unPinMessage'))
+					.set(credentials)
+					.send({
+						messageId: message._id,
+					})
+					.expect('Content-Type', 'application/json')
+					.expect(400)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', false);
+						expect(res.body).to.have.property('error');
+					})
+					.end(done);
+			});
+		});
+
+		it('should return an error when pinMessage is allowed in server but users dont have permission', (done) => {
+			updateSetting('Message_AllowPinning', true).then(() => {
+				updatePermission('pin-message', []).then(() => {
+					request.post(api('chat.unPinMessage'))
+						.set(credentials)
+						.send({
+							messageId: message._id,
+						})
+						.expect('Content-Type', 'application/json')
+						.expect(400)
+						.expect((res) => {
+							expect(res.body).to.have.property('success', false);
+							expect(res.body).to.have.property('error');
+						})
+						.end(done);
+				});
+			});
+		});
+
+		it('should unpin Message successfully', (done) => {
+			updatePermission('pin-message', ['admin']).then(() => {
+				request.post(api('chat.unPinMessage'))
+					.set(credentials)
+					.send({
+						messageId: message._id,
+					})
+					.expect('Content-Type', 'application/json')
+					.expect(200)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', true);
+						expect(res.body).to.not.have.property('error');
+					})
+					.end(done);
+			});
+		});
+	});
 });