chore!: Improve permissions check on im endpoints (#32333)

RocketChat · Jul 18, 2024 · 55a5cc2 · 55a5cc2
1 parent d6bf0da
commit 55a5cc2
Showing 1 changed file with 77 additions and 1 deletion.
diff --git a/apps/meteor/tests/end-to-end/api/direct-message.ts b/apps/meteor/tests/end-to-end/api/direct-message.ts
@@ -263,6 +263,82 @@ describe('[Direct Messages]', () => {
 		});
 	});
 
+	describe("Setting: 'Use Real Name': true", () => {
+		before(async () => updateSetting('UI_Use_Real_Name', true));
+		after(async () => updateSetting('UI_Use_Real_Name', false));
+
+		it('/im.list', (done) => {
+			request
+				.get(api('im.list'))
+				.set(credentials)
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('count', 1);
+					expect(res.body).to.have.property('total', 1);
+					expect(res.body).to.have.property('ims').and.to.be.an('array');
+
+					const im = res.body.ims[0];
+
+					expect(im).to.have.property('_id');
+					expect(im).to.have.property('t').and.to.be.eq('d');
+					expect(im).to.have.property('msgs').and.to.be.a('number');
+					expect(im).to.have.property('usernames').and.to.be.an('array');
+					expect(im).to.have.property('lm');
+					expect(im).to.have.property('_updatedAt');
+					expect(im).to.have.property('ts');
+					expect(im).to.have.property('lastMessage');
+
+					const { lastMessage } = im;
+
+					expect(lastMessage).to.have.nested.property('u.name', 'RocketChat Internal Admin Test');
+				})
+				.end(done);
+		});
+
+		after(async () => {
+			return updatePermission('view-room-administration', ['admin']);
+		});
+
+		it('should succesfully return a list of direct messages', async () => {
+			await request
+				.get(api('im.list.everyone'))
+				.set(credentials)
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('count', 1);
+					expect(res.body).to.have.property('total', 1);
+					expect(res.body).to.have.property('ims').and.to.be.an('array');
+					const im = res.body.ims[0];
+					expect(im).to.have.property('_id');
+					expect(im).to.have.property('t').and.to.be.eq('d');
+					expect(im).to.have.property('msgs').and.to.be.a('number');
+					expect(im).to.have.property('usernames').and.to.be.an('array');
+					expect(im).to.have.property('ro');
+					expect(im).to.have.property('sysMes');
+					expect(im).to.have.property('_updatedAt');
+					expect(im).to.have.property('ts');
+					expect(im).to.have.property('lastMessage');
+				});
+		});
+
+		it('should fail if user does NOT have the view-room-administration permission', async () => {
+			await updatePermission('view-room-administration', []);
+			await request
+				.get(api('im.list.everyone'))
+				.set(credentials)
+				.expect('Content-Type', 'application/json')
+				.expect(403)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
+				});
+		});
+	});
+
 	describe("Setting: 'Use Real Name': true", () => {
 		before(async () => updateSetting('UI_Use_Real_Name', true));
 		after(async () => updateSetting('UI_Use_Real_Name', false));
@@ -404,7 +480,7 @@ describe('[Direct Messages]', () => {
 		});
 		it('should fail when the endpoint is disabled and the user doesnt have permission', async () => {
 			await updateSetting('API_Enable_Direct_Message_History_EndPoint', false);
-			await updatePermission('view-room-administration', []);
+			await updatePermission('view-room-administration', ['admin']);
 			await request
 				.get(api('im.messages.others'))
 				.set(credentials)