From 0e3f7148312723429bb85175dabb8877bfe6b32d Mon Sep 17 00:00:00 2001 From: Matheus Barbosa Silva <36537004+matheusbsilva137@users.noreply.github.com> Date: Fri, 3 May 2024 17:05:32 -0300 Subject: [PATCH] chore: Improve permissions check on instances endpoints (#32334) --- apps/meteor/app/api/server/v1/instances.ts | 7 +------ apps/meteor/tests/end-to-end/api/00-miscellaneous.js | 2 +- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/apps/meteor/app/api/server/v1/instances.ts b/apps/meteor/app/api/server/v1/instances.ts index e5404ab3e53c..47f98c856f44 100644 --- a/apps/meteor/app/api/server/v1/instances.ts +++ b/apps/meteor/app/api/server/v1/instances.ts @@ -1,7 +1,6 @@ import { InstanceStatus } from '@rocket.chat/models'; import { isRunningMs } from '../../../../server/lib/isRunningMs'; -import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission'; import { API } from '../api'; import { getInstanceList } from '../helpers/getInstanceList'; @@ -15,13 +14,9 @@ const getConnections = (() => { API.v1.addRoute( 'instances.get', - { authRequired: true }, + { authRequired: true, permissionsRequired: ['view-statistics'] }, { async get() { - if (!(await hasPermissionAsync(this.userId, 'view-statistics'))) { - return API.v1.unauthorized(); - } - const instanceRecords = await InstanceStatus.find().toArray(); const connections = await getConnections(); diff --git a/apps/meteor/tests/end-to-end/api/00-miscellaneous.js b/apps/meteor/tests/end-to-end/api/00-miscellaneous.js index d545441c1b7c..a96865aa8419 100644 --- a/apps/meteor/tests/end-to-end/api/00-miscellaneous.js +++ b/apps/meteor/tests/end-to-end/api/00-miscellaneous.js @@ -536,7 +536,7 @@ describe('miscellaneous', function () { .expect(403) .expect((res) => { expect(res.body).to.have.property('success', false); - expect(res.body).to.have.property('error', 'unauthorized'); + expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]'); }) .end(done); });