Skip to content

Commit

Permalink
chore!: Improve permissions check on teams endpoints (#32351)
Browse files Browse the repository at this point in the history
  • Loading branch information
matheusbsilva137 authored and ggazzo committed Jul 16, 2024
1 parent a196874 commit c8c434f
Show file tree
Hide file tree
Showing 2 changed files with 81 additions and 14 deletions.
17 changes: 3 additions & 14 deletions apps/meteor/app/api/server/v1/teams.ts
Original file line number Diff line number Diff line change
Expand Up @@ -44,13 +44,9 @@ API.v1.addRoute(

API.v1.addRoute(
'teams.listAll',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['view-all-teams'] },
{
async get() {
if (!(await hasPermissionAsync(this.userId, 'view-all-teams'))) {
return API.v1.unauthorized();
}

const { offset, count } = await getPaginationItems(this.queryParams);

const { records, total } = await Team.listAll({ offset, count });
Expand All @@ -67,13 +63,9 @@ API.v1.addRoute(

API.v1.addRoute(
'teams.create',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['create-team'] },
{
async post() {
if (!(await hasPermissionAsync(this.userId, 'create-team'))) {
return API.v1.unauthorized();
}

check(
this.bodyParams,
Match.ObjectIncluding({
Expand Down Expand Up @@ -285,10 +277,7 @@ API.v1.addRoute(

const allowPrivateTeam: boolean = await hasPermissionAsync(this.userId, 'view-all-teams', team.roomId);

let getAllRooms = false;
if (await hasPermissionAsync(this.userId, 'view-all-team-channels', team.roomId)) {
getAllRooms = true;
}
const getAllRooms = await hasPermissionAsync(this.userId, 'view-all-team-channels', team.roomId);

const listFilter = {
name: filter ?? undefined,
Expand Down
78 changes: 78 additions & 0 deletions apps/meteor/tests/end-to-end/api/teams.ts
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,13 @@ describe('[Teams]', () => {
});

after(() => Promise.all([...createdTeams.map((team) => deleteTeam(credentials, team.name)), deleteUser(testUser)]));
before(async () => {
return updatePermission('create-team', ['admin', 'user']);
});

after(async () => {
return updatePermission('create-team', ['admin', 'user']);
});

it('should create a public team', (done) => {
void request
Expand Down Expand Up @@ -172,6 +179,23 @@ describe('[Teams]', () => {
})
.end(done);
});

it('should not allow creating a team when the user does NOT have the create-team permission', async () => {
await updatePermission('create-team', []);
await request
.post(api('teams.create'))
.set(credentials)
.send({
name: `test-team-${Date.now()}`,
type: 0,
})
.expect('Content-Type', 'application/json')
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
});
});
});

describe('/teams.convertToChannel', () => {
Expand Down Expand Up @@ -656,6 +680,60 @@ describe('[Teams]', () => {
});
});

describe('/teams.listAll', () => {
let teamName;
before(async () => {
await updatePermission('view-all-teams', ['admin']);
teamName = `test-team-${Date.now()}`;
await request.post(api('teams.create')).set(credentials).send({
name: teamName,
type: 0,
});
});

after(() => Promise.all([deleteTeam(credentials, teamName), updatePermission('view-all-teams', ['admin'])]));

it('should list all teams', async () => {
await request
.get(api('teams.listAll'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('count');
expect(res.body).to.have.property('offset', 0);
expect(res.body).to.have.property('total');
expect(res.body).to.have.property('teams');
expect(res.body.teams).to.be.an('array').that.is.not.empty;
expect(res.body.teams[0]).to.include.property('_id');
expect(res.body.teams[0]).to.include.property('_updatedAt');
expect(res.body.teams[0]).to.include.property('name');
expect(res.body.teams[0]).to.include.property('type');
expect(res.body.teams[0]).to.include.property('roomId');
expect(res.body.teams[0]).to.include.property('createdBy');
expect(res.body.teams[0].createdBy).to.include.property('_id');
expect(res.body.teams[0].createdBy).to.include.property('username');
expect(res.body.teams[0]).to.include.property('createdAt');
expect(res.body.teams[0]).to.include.property('rooms');
expect(res.body.teams[0]).to.include.property('numberOfUsers');
});
});

it('should return an error when the user does NOT have the view-all-teams permission', async () => {
await updatePermission('view-all-teams', []);
await request
.get(api('teams.listAll'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
});
});
});

describe('/teams.updateMember', () => {
let testTeam: ITeam;
const teamName = `test-team-update-member-${Date.now()}`;
Expand Down

0 comments on commit c8c434f

Please sign in to comment.