Skip to content

Commit

Permalink
chore!: Improve permissions check on groups endpoints (#32332)
Browse files Browse the repository at this point in the history
  • Loading branch information
matheusbsilva137 authored and ggazzo committed Sep 5, 2024
1 parent 456426b commit 792df00
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 45 deletions.
31 changes: 13 additions & 18 deletions apps/meteor/app/api/server/v1/groups.ts
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,7 @@ import { findUsersOfRoom } from '../../../../server/lib/findUsersOfRoom';
import { hideRoomMethod } from '../../../../server/methods/hideRoom';
import { removeUserFromRoomMethod } from '../../../../server/methods/removeUserFromRoom';
import { canAccessRoomAsync, roomAccessAttributes } from '../../../authorization/server';
import {
hasAllPermissionAsync,
hasAtLeastOnePermissionAsync,
hasPermissionAsync,
} from '../../../authorization/server/functions/hasPermission';
import { hasAllPermissionAsync, hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
import { saveRoomSettings } from '../../../channel-settings/server/methods/saveRoomSettings';
import { mountIntegrationQueryBasedOnPermissions } from '../../../integrations/server/lib/mountQueriesBasedOnPermission';
import { createPrivateGroupMethod } from '../../../lib/server/methods/createPrivateGroup';
Expand Down Expand Up @@ -412,20 +408,22 @@ API.v1.addRoute(

API.v1.addRoute(
'groups.getIntegrations',
{ authRequired: true },
{
async get() {
if (
!(await hasAtLeastOnePermissionAsync(this.userId, [
authRequired: true,
permissionsRequired: {
GET: {
permissions: [
'manage-outgoing-integrations',
'manage-own-outgoing-integrations',
'manage-incoming-integrations',
'manage-own-incoming-integrations',
]))
) {
return API.v1.unauthorized();
}

],
operation: 'hasAny',
},
},
},
{
async get() {
const findResult = await findPrivateGroupByIdOrName({
params: this.queryParams,
userId: this.userId,
Expand Down Expand Up @@ -670,12 +668,9 @@ API.v1.addRoute(

API.v1.addRoute(
'groups.listAll',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['view-room-administration'] },
{
async get() {
if (!(await hasPermissionAsync(this.userId, 'view-room-administration'))) {
return API.v1.unauthorized();
}
const { offset, count } = await getPaginationItems(this.queryParams);
const { sort, fields, query } = await this.parseJsonQuery();
const ourQuery = Object.assign({}, query, { t: 'p' as RoomType });
Expand Down
58 changes: 31 additions & 27 deletions apps/meteor/tests/end-to-end/api/groups.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1154,33 +1154,37 @@ describe('[Groups]', () => {
});

describe('/groups.listAll', () => {
it('should fail if the user doesnt have view-room-administration permission', (done) => {
void updatePermission('view-room-administration', []).then(() => {
void request
.get(api('groups.listAll'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'unauthorized');
})
.end(done);
});
before(async () => {
return updatePermission('view-room-administration', ['admin']);
});
it('should succeed if user has view-room-administration permission', (done) => {
void updatePermission('view-room-administration', ['admin']).then(() => {
void request
.get(api('groups.listAll'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('groups').and.to.be.an('array');
})
.end(done);
});

after(async () => {
return updatePermission('view-room-administration', ['admin']);
});

it('should succeed if user has view-room-administration permission', async () => {
await request
.get(api('groups.listAll'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('groups').and.to.be.an('array');
});
});

it('should fail if the user doesnt have view-room-administration permission', async () => {
await updatePermission('view-room-administration', []);
await request
.get(api('groups.listAll'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
});
});
});

Expand Down Expand Up @@ -1345,7 +1349,7 @@ describe('[Groups]', () => {
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'unauthorized');
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
});
});
});
Expand Down

0 comments on commit 792df00

Please sign in to comment.