chore!: Improve permissions check on mailer endpoints (#32336)

RocketChat · Sep 11, 2024 · 2a26720 · 2a26720
1 parent fc2cea7
commit 2a26720
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 7 deletions.
diff --git a/apps/meteor/app/api/server/v1/mailer.ts b/apps/meteor/app/api/server/v1/mailer.ts
@@ -1,20 +1,16 @@
 import { isMailerProps, isMailerUnsubscribeProps } from '@rocket.chat/rest-typings';
 
-import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { API } from '../api';
 
 API.v1.addRoute(
 	'mailer',
 	{
 		authRequired: true,
 		validateParams: isMailerProps,
+		permissionsRequired: ['send-mail'],
 	},
 	{
 		async post() {
-			if (!(await hasPermissionAsync(this.userId, 'send-mail'))) {
-				throw new Error('error-not-allowed');
-			}
-
 			const { from, subject, body, dryrun, query } = this.bodyParams;
 
 			const result = await Meteor.callAsync('Mailer.sendMail', from, subject, body, Boolean(dryrun), query);

diff --git a/apps/meteor/tests/end-to-end/api/livechat/12-mailer.ts b/apps/meteor/tests/end-to-end/api/livechat/12-mailer.ts
@@ -1,13 +1,22 @@
 import { expect } from 'chai';
-import { before, describe, it } from 'mocha';
+import { before, after, describe, it } from 'mocha';
 import type { Response } from 'supertest';
 
 import { api, request, credentials, getCredentials } from '../../../data/api-data';
+import { updatePermission } from '../../../data/permissions.helper';
 
 describe('Mailer', () => {
 	before((done) => getCredentials(done));
 
-	describe('POST mailer', () => {
+	describe('POST mailer', async () => {
+		before(async () => {
+			return updatePermission('send-mail', ['admin']);
+		});
+
+		after(async () => {
+			return updatePermission('send-mail', ['admin']);
+		});
+
 		it('should send an email if the payload is correct', async () => {
 			await request
 				.post(api('mailer'))
@@ -58,6 +67,25 @@ describe('Mailer', () => {
 					expect(res.body).to.have.property('success', false);
 				});
 		});
+		it('should throw an error if user does NOT have the send-mail permission', async () => {
+			await updatePermission('send-mail', []);
+			await request
+				.post(api('mailer'))
+				.set(credentials)
+				.send({
+					from: '[email protected]',
+					subject: 'Test email subject',
+					body: 'Test email body',
+					dryrun: true,
+					query: '',
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(403)
+				.expect((res: Response) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
+				});
+		});
 	});
 });