Skip to content

Commit

Permalink
chore!: Improve permissions check on teams endpoints (#32351)
Browse files Browse the repository at this point in the history
  • Loading branch information
matheusbsilva137 authored and ggazzo committed Sep 25, 2024
1 parent 70519bc commit 20f8a93
Show file tree
Hide file tree
Showing 2 changed files with 1,786 additions and 1,720 deletions.
17 changes: 3 additions & 14 deletions apps/meteor/app/api/server/v1/teams.ts
Original file line number Diff line number Diff line change
Expand Up @@ -45,13 +45,9 @@ API.v1.addRoute(

API.v1.addRoute(
'teams.listAll',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['view-all-teams'] },
{
async get() {
if (!(await hasPermissionAsync(this.userId, 'view-all-teams'))) {
return API.v1.unauthorized();
}

const { offset, count } = await getPaginationItems(this.queryParams);

const { records, total } = await Team.listAll({ offset, count });
Expand All @@ -68,13 +64,9 @@ API.v1.addRoute(

API.v1.addRoute(
'teams.create',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['create-team'] },
{
async post() {
if (!(await hasPermissionAsync(this.userId, 'create-team'))) {
return API.v1.unauthorized();
}

check(
this.bodyParams,
Match.ObjectIncluding({
Expand Down Expand Up @@ -291,10 +283,7 @@ API.v1.addRoute(

const allowPrivateTeam: boolean = await hasPermissionAsync(this.userId, 'view-all-teams', team.roomId);

let getAllRooms = false;
if (await hasPermissionAsync(this.userId, 'view-all-team-channels', team.roomId)) {
getAllRooms = true;
}
const getAllRooms = await hasPermissionAsync(this.userId, 'view-all-team-channels', team.roomId);

const listFilter = {
name: filter ?? undefined,
Expand Down
Loading

0 comments on commit 20f8a93

Please sign in to comment.