chore: Improve permissions check on cloud endpoints (#32331)

RocketChat · Sep 25, 2024 · bb42e41 · bb42e41
1 parent f95989a
commit bb42e41
Showing 1 changed file with 4 additions and 21 deletions.
diff --git a/apps/meteor/app/api/server/v1/cloud.ts b/apps/meteor/app/api/server/v1/cloud.ts
@@ -2,7 +2,6 @@ import { check } from 'meteor/check';
 
 import { CloudWorkspaceRegistrationError } from '../../../../lib/errors/CloudWorkspaceRegistrationError';
 import { SystemLogger } from '../../../../server/lib/logger/system';
-import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { hasRoleAsync } from '../../../authorization/server/functions/hasRole';
 import { getCheckoutUrl } from '../../../cloud/server/functions/getCheckoutUrl';
 import { getConfirmationPoll } from '../../../cloud/server/functions/getConfirmationPoll';
@@ -20,17 +19,13 @@ import { API } from '../api';
 
 API.v1.addRoute(
 	'cloud.manualRegister',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['register-on-cloud'] },
 	{
 		async post() {
 			check(this.bodyParams, {
 				cloudBlob: String,
 			});
 
-			if (!(await hasPermissionAsync(this.userId, 'register-on-cloud'))) {
-				return API.v1.unauthorized();
-			}
-
 			const registrationInfo = await retrieveRegistrationStatus();
 
 			if (registrationInfo.workspaceRegistered) {
@@ -48,18 +43,14 @@ API.v1.addRoute(
 
 API.v1.addRoute(
 	'cloud.createRegistrationIntent',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['manage-cloud'] },
 	{
 		async post() {
 			check(this.bodyParams, {
 				resend: Boolean,
 				email: String,
 			});
 
-			if (!(await hasPermissionAsync(this.userId, 'manage-cloud'))) {
-				return API.v1.unauthorized();
-			}
-
 			const intentData = await startRegisterWorkspaceSetupWizard(this.bodyParams.resend, this.bodyParams.email);
 
 			if (intentData) {
@@ -73,32 +64,24 @@ API.v1.addRoute(
 
 API.v1.addRoute(
 	'cloud.registerPreIntent',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['manage-cloud'] },
 	{
 		async post() {
-			if (!(await hasPermissionAsync(this.userId, 'manage-cloud'))) {
-				return API.v1.unauthorized();
-			}
-
 			return API.v1.success({ offline: !(await registerPreIntentWorkspaceWizard()) });
 		},
 	},
 );
 
 API.v1.addRoute(
 	'cloud.confirmationPoll',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['manage-cloud'] },
 	{
 		async get() {
 			const { deviceCode } = this.queryParams;
 			check(this.queryParams, {
 				deviceCode: String,
 			});
 
-			if (!(await hasPermissionAsync(this.userId, 'manage-cloud'))) {
-				return API.v1.unauthorized();
-			}
-
 			if (!deviceCode) {
 				return API.v1.failure('Invalid query');
 			}