From 600ea5c89fbe53c2d8ecd55741837a7c28e5f328 Mon Sep 17 00:00:00 2001
From: Matheus Barbosa Silva
 <36537004+matheusbsilva137@users.noreply.github.com>
Date: Fri, 3 May 2024 17:30:48 -0300
Subject: [PATCH] chore!: Improve permissions check on mailer endpoints
 (#32336)

---
 apps/meteor/app/api/server/v1/mailer.ts       |  6 +---
 .../end-to-end/api/livechat/12-mailer.ts      | 32 +++++++++++++++++--
 2 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/apps/meteor/app/api/server/v1/mailer.ts b/apps/meteor/app/api/server/v1/mailer.ts
index 767868090b91..56229e26dc31 100644
--- a/apps/meteor/app/api/server/v1/mailer.ts
+++ b/apps/meteor/app/api/server/v1/mailer.ts
@@ -1,6 +1,5 @@
 import { isMailerProps, isMailerUnsubscribeProps } from '@rocket.chat/rest-typings';
 
-import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { API } from '../api';
 
 API.v1.addRoute(
@@ -8,13 +7,10 @@ API.v1.addRoute(
 	{
 		authRequired: true,
 		validateParams: isMailerProps,
+		permissionsRequired: ['send-mail'],
 	},
 	{
 		async post() {
-			if (!(await hasPermissionAsync(this.userId, 'send-mail'))) {
-				throw new Error('error-not-allowed');
-			}
-
 			const { from, subject, body, dryrun, query } = this.bodyParams;
 
 			const result = await Meteor.callAsync('Mailer.sendMail', from, subject, body, Boolean(dryrun), query);
diff --git a/apps/meteor/tests/end-to-end/api/livechat/12-mailer.ts b/apps/meteor/tests/end-to-end/api/livechat/12-mailer.ts
index 01a47594620d..c9bdaa613985 100644
--- a/apps/meteor/tests/end-to-end/api/livechat/12-mailer.ts
+++ b/apps/meteor/tests/end-to-end/api/livechat/12-mailer.ts
@@ -1,13 +1,22 @@
 import { expect } from 'chai';
-import { before, describe, it } from 'mocha';
+import { before, after, describe, it } from 'mocha';
 import type { Response } from 'supertest';
 
 import { api, request, credentials, getCredentials } from '../../../data/api-data';
+import { updatePermission } from '../../../data/permissions.helper';
 
 describe('Mailer', () => {
 	before((done) => getCredentials(done));
 
-	describe('POST mailer', () => {
+	describe('POST mailer', async () => {
+		before(async () => {
+			return updatePermission('send-mail', ['admin']);
+		});
+
+		after(async () => {
+			return updatePermission('send-mail', ['admin']);
+		});
+
 		it('should send an email if the payload is correct', async () => {
 			await request
 				.post(api('mailer'))
@@ -58,6 +67,25 @@ describe('Mailer', () => {
 					expect(res.body).to.have.property('success', false);
 				});
 		});
+		it('should throw an error if user does NOT have the send-mail permission', async () => {
+			await updatePermission('send-mail', []);
+			await request
+				.post(api('mailer'))
+				.set(credentials)
+				.send({
+					from: 'test-mail@test.com',
+					subject: 'Test email subject',
+					body: 'Test email body',
+					dryrun: true,
+					query: '',
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(403)
+				.expect((res: Response) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
+				});
+		});
 	});
 });