chore!: Improve permissions check on licenses endpoints (#32354)

RocketChat · Sep 27, 2024 · 3fb0302 · 3fb0302
1 parent cba6c7e
commit 3fb0302
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 6 deletions.
diff --git a/apps/meteor/ee/server/api/licenses.ts b/apps/meteor/ee/server/api/licenses.ts
@@ -41,17 +41,13 @@ API.v1.addRoute(
 
 API.v1.addRoute(
 	'licenses.add',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['edit-privileged-setting'] },
 	{
 		async post() {
 			check(this.bodyParams, {
 				license: String,
 			});
 
-			if (!(await hasPermissionAsync(this.userId, 'edit-privileged-setting'))) {
-				return API.v1.unauthorized();
-			}
-
 			const { license } = this.bodyParams;
 			if (!(await License.validateFormat(license))) {
 				return API.v1.failure('Invalid license');

diff --git a/apps/meteor/tests/end-to-end/api/licenses.ts b/apps/meteor/tests/end-to-end/api/licenses.ts
@@ -48,7 +48,7 @@ describe('licenses', () => {
 				.expect(403)
 				.expect((res) => {
 					expect(res.body).to.have.property('success', false);
-					expect(res.body).to.have.property('error', 'unauthorized');
+					expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
 				})
 				.end(done);
 		});