Skip to content

Commit

Permalink
chore: Improve permissions check on users endpoints (#32353)
Browse files Browse the repository at this point in the history
  • Loading branch information
matheusbsilva137 authored and ggazzo committed Jul 26, 2024
1 parent 22c9512 commit 3f5c61f
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 31 deletions.
38 changes: 11 additions & 27 deletions apps/meteor/app/api/server/v1/users.ts
Original file line number Diff line number Diff line change
Expand Up @@ -323,13 +323,9 @@ API.v1.addRoute(

API.v1.addRoute(
'users.delete',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['delete-user'] },
{
async post() {
if (!(await hasPermissionAsync(this.userId, 'delete-user'))) {
return API.v1.unauthorized();
}

const user = await getUserFromParams(this.bodyParams);
const { confirmRelinquish = false } = this.bodyParams;

Expand Down Expand Up @@ -364,16 +360,15 @@ API.v1.addRoute(

API.v1.addRoute(
'users.setActiveStatus',
{ authRequired: true, validateParams: isUserSetActiveStatusParamsPOST },
{
authRequired: true,
validateParams: isUserSetActiveStatusParamsPOST,
permissionsRequired: {
POST: { permissions: ['edit-other-user-active-status', 'manage-moderation-actions'], operation: 'hasAny' },
},
},
{
async post() {
if (
!(await hasPermissionAsync(this.userId, 'edit-other-user-active-status')) &&
!(await hasPermissionAsync(this.userId, 'manage-moderation-actions'))
) {
return API.v1.unauthorized();
}

const { userId, activeStatus, confirmRelinquish = false } = this.bodyParams;
await Meteor.callAsync('setUserActiveStatus', userId, activeStatus, confirmRelinquish);

Expand All @@ -390,13 +385,9 @@ API.v1.addRoute(

API.v1.addRoute(
'users.deactivateIdle',
{ authRequired: true, validateParams: isUserDeactivateIdleParamsPOST },
{ authRequired: true, validateParams: isUserDeactivateIdleParamsPOST, permissionsRequired: ['edit-other-user-active-status'] },
{
async post() {
if (!(await hasPermissionAsync(this.userId, 'edit-other-user-active-status'))) {
return API.v1.unauthorized();
}

const { daysIdle, role = 'user' } = this.bodyParams;

const lastLoggedIn = new Date();
Expand Down Expand Up @@ -468,13 +459,10 @@ API.v1.addRoute(
{
authRequired: true,
queryOperations: ['$or', '$and'],
permissionsRequired: ['view-d-room'],
},
{
async get() {
if (!(await hasPermissionAsync(this.userId, 'view-d-room'))) {
return API.v1.unauthorized();
}

if (
settings.get('API_Apply_permission_view-outside-room_on_users-list') &&
!(await hasPermissionAsync(this.userId, 'view-outside-room'))
Expand Down Expand Up @@ -824,13 +812,9 @@ API.v1.addRoute(

API.v1.addRoute(
'users.getPersonalAccessTokens',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['create-personal-access-tokens'] },
{
async get() {
if (!(await hasPermissionAsync(this.userId, 'create-personal-access-tokens'))) {
throw new Meteor.Error('not-authorized', 'Not Authorized');
}

const user = (await Users.getLoginTokensByUserId(this.userId).toArray())[0] as unknown as IUser | undefined;

const isPersonalAccessToken = (loginToken: ILoginToken | IPersonalAccessToken): loginToken is IPersonalAccessToken =>
Expand Down
11 changes: 7 additions & 4 deletions apps/meteor/tests/end-to-end/api/users.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2944,7 +2944,7 @@ describe('[Users]', () => {
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'unauthorized');
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
});
});

Expand Down Expand Up @@ -3207,10 +3207,10 @@ describe('[Users]', () => {
.get(api('users.getPersonalAccessTokens'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(400)
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body.errorType).to.be.equal('not-authorized');
expect(res.body.error).to.be.equal('User does not have the permissions required for this action [error-unauthorized]');
})
.end(done);
});
Expand Down Expand Up @@ -3331,6 +3331,7 @@ describe('[Users]', () => {
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
})
.end(done);
});
Expand All @@ -3347,6 +3348,7 @@ describe('[Users]', () => {
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
})
.end(done);
});
Expand All @@ -3363,6 +3365,7 @@ describe('[Users]', () => {
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
})
.end(done);
});
Expand Down Expand Up @@ -3577,7 +3580,7 @@ describe('[Users]', () => {
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'unauthorized');
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
})
.end(done);
});
Expand Down

0 comments on commit 3f5c61f

Please sign in to comment.