Skip to content

Commit

Permalink
chore!: Improve permissions check on roles endpoints (#32347)
Browse files Browse the repository at this point in the history
  • Loading branch information
@matheusbsilva137 @ggazzo
matheusbsilva137 authored and ggazzo committed Jun 24, 2024
1 parent 3c1622c commit b484993
Show file tree
Hide file tree
Showing 2 changed files with 419 additions and 14 deletions.
17 changes: 3 additions & 14 deletions apps/meteor/app/api/server/v1/roles.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ API.v1.addRoute(

API.v1.addRoute(
'roles.getUsersInRole',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['access-permissions'] },
{
async get() {
const { roomId, role } = this.queryParams;
Expand All @@ -109,9 +109,6 @@ API.v1.addRoute(
if (!role) {
throw new Meteor.Error('error-param-not-provided', 'Query param "role" is required');
}
if (!(await hasPermissionAsync(this.userId, 'access-permissions'))) {
throw new Meteor.Error('error-not-allowed', 'Not allowed');
}
if (roomId && !(await hasPermissionAsync(this.userId, 'view-other-user-channels'))) {
throw new Meteor.Error('error-not-allowed', 'Not allowed');
}
Expand Down Expand Up @@ -150,18 +147,14 @@ API.v1.addRoute(

API.v1.addRoute(
'roles.delete',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['access-permissions'] },
{
async post() {
const { bodyParams } = this;
if (!isRoleDeleteProps(bodyParams)) {
throw new Meteor.Error('error-invalid-role-properties', 'The role properties are invalid.');
}

if (!(await hasPermissionAsync(this.userId, 'access-permissions'))) {
throw new Meteor.Error('error-action-not-allowed', 'Accessing permissions is not allowed');
}

const role = await Roles.findOneByIdOrName(bodyParams.roleId);

if (!role) {
Expand Down Expand Up @@ -189,7 +182,7 @@ API.v1.addRoute(

API.v1.addRoute(
'roles.removeUserFromRole',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['access-permissions'] },
{
async post() {
const { bodyParams } = this;
Expand All @@ -199,10 +192,6 @@ API.v1.addRoute(

const { roleId, roleName, username, scope } = bodyParams;

if (!(await hasPermissionAsync(this.userId, 'access-permissions'))) {
throw new Meteor.Error('error-not-allowed', 'Accessing permissions is not allowed');
}

if (!roleId) {
if (!roleName) {
return API.v1.failure('error-invalid-role-properties');
Expand Down
Loading

0 comments on commit b484993

Please sign in to comment.