From cdd932c2f5d3864820ed01674326cb0ad232ce2d Mon Sep 17 00:00:00 2001
From: LucianoPierdona <lucianompj1@gmail.com>
Date: Mon, 20 Jun 2022 09:41:19 -0300
Subject: [PATCH 1/5] update endpoint versioning on `RoomInfoWithData`

---
 .../room/contextualBar/Info/RoomInfo/RoomInfoWithData.js    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/meteor/client/views/room/contextualBar/Info/RoomInfo/RoomInfoWithData.js b/apps/meteor/client/views/room/contextualBar/Info/RoomInfo/RoomInfoWithData.js
index adf20054512c..55ba60e259cf 100644
--- a/apps/meteor/client/views/room/contextualBar/Info/RoomInfo/RoomInfoWithData.js
+++ b/apps/meteor/client/views/room/contextualBar/Info/RoomInfo/RoomInfoWithData.js
@@ -56,15 +56,15 @@ const RoomInfoWithData = ({ rid, openEditing, onClickBack, onEnterRoom, resetSta
 	const dispatchToastMessage = useToastMessageDispatch();
 	const setModal = useSetModal();
 	const closeModal = useMutableCallback(() => setModal());
-	const deleteRoom = useEndpoint('POST', room.t === 'c' ? 'channels.delete' : 'groups.delete');
+	const deleteRoom = useEndpoint('POST', room.t === 'c' ? '/v1/channels.delete' : '/v1/groups.delete');
 	const hideRoom = useMethod('hideRoom');
 	const leaveRoom = useMethod('leaveRoom');
 	const router = useRoute('home');
 
-	const moveChannelToTeam = useEndpointActionExperimental('POST', 'teams.addRooms', t('Rooms_added_successfully'));
+	const moveChannelToTeam = useEndpointActionExperimental('POST', '/v1/teams.addRooms', t('Rooms_added_successfully'));
 	const convertRoomToTeam = useEndpointActionExperimental(
 		'POST',
-		type === 'c' ? 'channels.convertToTeam' : 'groups.convertToTeam',
+		type === 'c' ? '/v1/channels.convertToTeam' : '/v1/groups.convertToTeam',
 		t('Success'),
 	);
 

From ff001a9895419e16a63b21af4cd1333c8073c36a Mon Sep 17 00:00:00 2001
From: LucianoPierdona <lucianompj1@gmail.com>
Date: Mon, 20 Jun 2022 09:41:38 -0300
Subject: [PATCH 2/5] update endpoint versioning on `RoomActions`

---
 .../views/teams/contextualBar/channels/RoomActions.js       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/meteor/client/views/teams/contextualBar/channels/RoomActions.js b/apps/meteor/client/views/teams/contextualBar/channels/RoomActions.js
index c47f2b9bab2f..4f332441ccad 100644
--- a/apps/meteor/client/views/teams/contextualBar/channels/RoomActions.js
+++ b/apps/meteor/client/views/teams/contextualBar/channels/RoomActions.js
@@ -30,11 +30,11 @@ const RoomActions = ({ room, reload }) => {
 	const canEditTeamChannel = usePermission('edit-team-channel', rid);
 	const canRemoveTeamChannel = usePermission('remove-team-channel', rid);
 
-	const updateRoomEndpoint = useEndpointActionExperimental('POST', 'teams.updateRoom');
-	const removeRoomEndpoint = useEndpointActionExperimental('POST', 'teams.removeRoom', t('Room_has_been_removed'));
+	const updateRoomEndpoint = useEndpointActionExperimental('POST', '/v1/teams.updateRoom');
+	const removeRoomEndpoint = useEndpointActionExperimental('POST', '/v1/teams.removeRoom', t('Room_has_been_removed'));
 	const deleteRoomEndpoint = useEndpointActionExperimental(
 		'POST',
-		room.t === 'c' ? 'channels.delete' : 'groups.delete',
+		room.t === 'c' ? '/v1/channels.delete' : '/v1/groups.delete',
 		t('Room_has_been_deleted'),
 	);
 

From a15c28704be3739ef1326014fbe7645ecca1f94d Mon Sep 17 00:00:00 2001
From: LucianoPierdona <lucianompj1@gmail.com>
Date: Mon, 20 Jun 2022 09:41:53 -0300
Subject: [PATCH 3/5] update endpoint versioning on `TeamsInfoWithData`

---
 .../views/teams/contextualBar/info/TeamsInfoWithData.js     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/meteor/client/views/teams/contextualBar/info/TeamsInfoWithData.js b/apps/meteor/client/views/teams/contextualBar/info/TeamsInfoWithData.js
index de4d72d14e0e..c49d310543e4 100644
--- a/apps/meteor/client/views/teams/contextualBar/info/TeamsInfoWithData.js
+++ b/apps/meteor/client/views/teams/contextualBar/info/TeamsInfoWithData.js
@@ -60,9 +60,9 @@ const TeamsInfoWithLogic = ({ room, openEditing }) => {
 	const setModal = useSetModal();
 	const closeModal = useMutableCallback(() => setModal());
 
-	const deleteTeam = useEndpointActionExperimental('POST', 'teams.delete');
-	const leaveTeam = useEndpointActionExperimental('POST', 'teams.leave');
-	const convertTeamToChannel = useEndpointActionExperimental('POST', 'teams.convertToChannel');
+	const deleteTeam = useEndpointActionExperimental('POST', '/v1/teams.delete');
+	const leaveTeam = useEndpointActionExperimental('POST', '/V1/teams.leave');
+	const convertTeamToChannel = useEndpointActionExperimental('POST', '/v1/teams.convertToChannel');
 
 	const hideTeam = useMethod('hideRoom');
 

From 0840e21dcd55aa7d59f02688ff18bf8fa07640b9 Mon Sep 17 00:00:00 2001
From: LucianoPierdona <lucianompj1@gmail.com>
Date: Tue, 21 Jun 2022 21:55:04 -0300
Subject: [PATCH 4/5] fix convert to team of public channels

---
 apps/meteor/app/api/server/v1/channels.ts | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/apps/meteor/app/api/server/v1/channels.ts b/apps/meteor/app/api/server/v1/channels.ts
index 484c2a077081..837101cefd58 100644
--- a/apps/meteor/app/api/server/v1/channels.ts
+++ b/apps/meteor/app/api/server/v1/channels.ts
@@ -20,7 +20,7 @@ import {
 } from '@rocket.chat/rest-typings';
 
 import { Rooms, Subscriptions, Messages } from '../../../models/server';
-import { hasPermission, hasAllPermission } from '../../../authorization/server';
+import { hasPermission } from '../../../authorization/server';
 import { normalizeMessagesForUser } from '../../../utils/server/lib/normalizeMessagesForUser';
 import { API } from '../api';
 import { Team } from '../../../../server/sdk';
@@ -454,7 +454,7 @@ API.v1.addRoute(
 	},
 	{
 		async post() {
-			if (!hasAllPermission(this.userId, ['create-team', 'edit-room'])) {
+			if (!hasPermission(this.userId, 'create-team')) {
 				return API.v1.unauthorized();
 			}
 
@@ -472,6 +472,12 @@ API.v1.addRoute(
 				userId: this.userId,
 			});
 
+			const userIsOwnerOfTeam = room.u._id === this.userId;
+
+			if (!hasPermission(this.userId, 'edit-room') && !userIsOwnerOfTeam) {
+				return API.v1.unauthorized();
+			}
+
 			if (!room) {
 				return API.v1.failure('Channel not found');
 			}

From edf584d404935ffef82d0f60538392f43c1dae79 Mon Sep 17 00:00:00 2001
From: LucianoPierdona <lucianompj1@gmail.com>
Date: Thu, 23 Jun 2022 13:29:32 -0300
Subject: [PATCH 5/5] update check on `channels.convertToTeam` to use scope on
 `edit-room` permission check

---
 apps/meteor/app/api/server/v1/channels.ts | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/apps/meteor/app/api/server/v1/channels.ts b/apps/meteor/app/api/server/v1/channels.ts
index 837101cefd58..e77826fd14fc 100644
--- a/apps/meteor/app/api/server/v1/channels.ts
+++ b/apps/meteor/app/api/server/v1/channels.ts
@@ -464,6 +464,10 @@ API.v1.addRoute(
 				return API.v1.failure('The parameter "channelId" or "channelName" is required');
 			}
 
+			if (!hasPermission(this.userId, 'edit-room', channelId)) {
+				return API.v1.unauthorized();
+			}
+
 			const room = findChannelByIdOrName({
 				params: {
 					roomId: channelId,
@@ -472,12 +476,6 @@ API.v1.addRoute(
 				userId: this.userId,
 			});
 
-			const userIsOwnerOfTeam = room.u._id === this.userId;
-
-			if (!hasPermission(this.userId, 'edit-room') && !userIsOwnerOfTeam) {
-				return API.v1.unauthorized();
-			}
-
 			if (!room) {
 				return API.v1.failure('Channel not found');
 			}