From 22c9512329df35f49c79cd4d4fb1261f12a7e76d Mon Sep 17 00:00:00 2001 From: Matheus Barbosa Silva <36537004+matheusbsilva137@users.noreply.github.com> Date: Fri, 3 May 2024 17:30:48 -0300 Subject: [PATCH] chore!: Improve permissions check on mailer endpoints (#32336) --- apps/meteor/app/api/server/v1/mailer.ts | 6 +--- .../end-to-end/api/livechat/12-mailer.ts | 32 +++++++++++++++++-- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/apps/meteor/app/api/server/v1/mailer.ts b/apps/meteor/app/api/server/v1/mailer.ts index 767868090b91d..56229e26dc316 100644 --- a/apps/meteor/app/api/server/v1/mailer.ts +++ b/apps/meteor/app/api/server/v1/mailer.ts @@ -1,6 +1,5 @@ import { isMailerProps, isMailerUnsubscribeProps } from '@rocket.chat/rest-typings'; -import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission'; import { API } from '../api'; API.v1.addRoute( @@ -8,13 +7,10 @@ API.v1.addRoute( { authRequired: true, validateParams: isMailerProps, + permissionsRequired: ['send-mail'], }, { async post() { - if (!(await hasPermissionAsync(this.userId, 'send-mail'))) { - throw new Error('error-not-allowed'); - } - const { from, subject, body, dryrun, query } = this.bodyParams; const result = await Meteor.callAsync('Mailer.sendMail', from, subject, body, Boolean(dryrun), query); diff --git a/apps/meteor/tests/end-to-end/api/livechat/12-mailer.ts b/apps/meteor/tests/end-to-end/api/livechat/12-mailer.ts index 01a47594620d6..c9bdaa6139858 100644 --- a/apps/meteor/tests/end-to-end/api/livechat/12-mailer.ts +++ b/apps/meteor/tests/end-to-end/api/livechat/12-mailer.ts @@ -1,13 +1,22 @@ import { expect } from 'chai'; -import { before, describe, it } from 'mocha'; +import { before, after, describe, it } from 'mocha'; import type { Response } from 'supertest'; import { api, request, credentials, getCredentials } from '../../../data/api-data'; +import { updatePermission } from '../../../data/permissions.helper'; describe('Mailer', () => { before((done) => getCredentials(done)); - describe('POST mailer', () => { + describe('POST mailer', async () => { + before(async () => { + return updatePermission('send-mail', ['admin']); + }); + + after(async () => { + return updatePermission('send-mail', ['admin']); + }); + it('should send an email if the payload is correct', async () => { await request .post(api('mailer')) @@ -58,6 +67,25 @@ describe('Mailer', () => { expect(res.body).to.have.property('success', false); }); }); + it('should throw an error if user does NOT have the send-mail permission', async () => { + await updatePermission('send-mail', []); + await request + .post(api('mailer')) + .set(credentials) + .send({ + from: 'test-mail@test.com', + subject: 'Test email subject', + body: 'Test email body', + dryrun: true, + query: '', + }) + .expect('Content-Type', 'application/json') + .expect(403) + .expect((res: Response) => { + expect(res.body).to.have.property('success', false); + expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]'); + }); + }); }); });