Skip to content

Commit

Permalink
chore!: Improve permissions check on mailer endpoints (#32336)
Browse files Browse the repository at this point in the history
  • Loading branch information
matheusbsilva137 authored and ggazzo committed Jul 26, 2024
1 parent 1c799e2 commit 22c9512
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 7 deletions.
6 changes: 1 addition & 5 deletions apps/meteor/app/api/server/v1/mailer.ts
Original file line number Diff line number Diff line change
@@ -1,20 +1,16 @@
import { isMailerProps, isMailerUnsubscribeProps } from '@rocket.chat/rest-typings';

import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
import { API } from '../api';

API.v1.addRoute(
'mailer',
{
authRequired: true,
validateParams: isMailerProps,
permissionsRequired: ['send-mail'],
},
{
async post() {
if (!(await hasPermissionAsync(this.userId, 'send-mail'))) {
throw new Error('error-not-allowed');
}

const { from, subject, body, dryrun, query } = this.bodyParams;

const result = await Meteor.callAsync('Mailer.sendMail', from, subject, body, Boolean(dryrun), query);
Expand Down
32 changes: 30 additions & 2 deletions apps/meteor/tests/end-to-end/api/livechat/12-mailer.ts
Original file line number Diff line number Diff line change
@@ -1,13 +1,22 @@
import { expect } from 'chai';
import { before, describe, it } from 'mocha';
import { before, after, describe, it } from 'mocha';
import type { Response } from 'supertest';

import { api, request, credentials, getCredentials } from '../../../data/api-data';
import { updatePermission } from '../../../data/permissions.helper';

describe('Mailer', () => {
before((done) => getCredentials(done));

describe('POST mailer', () => {
describe('POST mailer', async () => {
before(async () => {
return updatePermission('send-mail', ['admin']);
});

after(async () => {
return updatePermission('send-mail', ['admin']);
});

it('should send an email if the payload is correct', async () => {
await request
.post(api('mailer'))
Expand Down Expand Up @@ -58,6 +67,25 @@ describe('Mailer', () => {
expect(res.body).to.have.property('success', false);
});
});
it('should throw an error if user does NOT have the send-mail permission', async () => {
await updatePermission('send-mail', []);
await request
.post(api('mailer'))
.set(credentials)
.send({
from: '[email protected]',
subject: 'Test email subject',
body: 'Test email body',
dryrun: true,
query: '',
})
.expect('Content-Type', 'application/json')
.expect(403)
.expect((res: Response) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
});
});
});
});

Expand Down

0 comments on commit 22c9512

Please sign in to comment.