Skip to content

Commit

Permalink
chore: Improve permissions check on users endpoints (#32353)
Browse files Browse the repository at this point in the history
  • Loading branch information
matheusbsilva137 authored and ggazzo committed Jun 19, 2024
1 parent d14ed24 commit cf4e2f9
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 31 deletions.
38 changes: 11 additions & 27 deletions apps/meteor/app/api/server/v1/users.ts
Original file line number Diff line number Diff line change
Expand Up @@ -308,13 +308,9 @@ API.v1.addRoute(

API.v1.addRoute(
'users.delete',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['delete-user'] },
{
async post() {
if (!(await hasPermissionAsync(this.userId, 'delete-user'))) {
return API.v1.unauthorized();
}

const user = await getUserFromParams(this.bodyParams);
const { confirmRelinquish = false } = this.bodyParams;

Expand Down Expand Up @@ -349,16 +345,15 @@ API.v1.addRoute(

API.v1.addRoute(
'users.setActiveStatus',
{ authRequired: true, validateParams: isUserSetActiveStatusParamsPOST },
{
authRequired: true,
validateParams: isUserSetActiveStatusParamsPOST,
permissionsRequired: {
POST: { permissions: ['edit-other-user-active-status', 'manage-moderation-actions'], operation: 'hasAny' },
},
},
{
async post() {
if (
!(await hasPermissionAsync(this.userId, 'edit-other-user-active-status')) &&
!(await hasPermissionAsync(this.userId, 'manage-moderation-actions'))
) {
return API.v1.unauthorized();
}

const { userId, activeStatus, confirmRelinquish = false } = this.bodyParams;
await Meteor.callAsync('setUserActiveStatus', userId, activeStatus, confirmRelinquish);

Expand All @@ -375,13 +370,9 @@ API.v1.addRoute(

API.v1.addRoute(
'users.deactivateIdle',
{ authRequired: true, validateParams: isUserDeactivateIdleParamsPOST },
{ authRequired: true, validateParams: isUserDeactivateIdleParamsPOST, permissionsRequired: ['edit-other-user-active-status'] },
{
async post() {
if (!(await hasPermissionAsync(this.userId, 'edit-other-user-active-status'))) {
return API.v1.unauthorized();
}

const { daysIdle, role = 'user' } = this.bodyParams;

const lastLoggedIn = new Date();
Expand Down Expand Up @@ -452,13 +443,10 @@ API.v1.addRoute(
{
authRequired: true,
queryOperations: ['$or', '$and'],
permissionsRequired: ['view-d-room'],
},
{
async get() {
if (!(await hasPermissionAsync(this.userId, 'view-d-room'))) {
return API.v1.unauthorized();
}

if (
settings.get('API_Apply_permission_view-outside-room_on_users-list') &&
!(await hasPermissionAsync(this.userId, 'view-outside-room'))
Expand Down Expand Up @@ -804,13 +792,9 @@ API.v1.addRoute(

API.v1.addRoute(
'users.getPersonalAccessTokens',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['create-personal-access-tokens'] },
{
async get() {
if (!(await hasPermissionAsync(this.userId, 'create-personal-access-tokens'))) {
throw new Meteor.Error('not-authorized', 'Not Authorized');
}

const user = (await Users.getLoginTokensByUserId(this.userId).toArray())[0] as unknown as IUser | undefined;

const isPersonalAccessToken = (loginToken: ILoginToken | IPersonalAccessToken): loginToken is IPersonalAccessToken =>
Expand Down
11 changes: 7 additions & 4 deletions apps/meteor/tests/end-to-end/api/01-users.js
Original file line number Diff line number Diff line change
Expand Up @@ -2644,7 +2644,7 @@ describe('[Users]', function () {
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'unauthorized');
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
});
});

Expand Down Expand Up @@ -2907,10 +2907,10 @@ describe('[Users]', function () {
.get(api('users.getPersonalAccessTokens'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(400)
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body.errorType).to.be.equal('not-authorized');
expect(res.body.error).to.be.equal('User does not have the permissions required for this action [error-unauthorized]');
})
.end(done);
});
Expand Down Expand Up @@ -3031,6 +3031,7 @@ describe('[Users]', function () {
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
})
.end(done);
});
Expand All @@ -3047,6 +3048,7 @@ describe('[Users]', function () {
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
})
.end(done);
});
Expand All @@ -3063,6 +3065,7 @@ describe('[Users]', function () {
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
})
.end(done);
});
Expand Down Expand Up @@ -3277,7 +3280,7 @@ describe('[Users]', function () {
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'unauthorized');
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
})
.end(done);
});
Expand Down

0 comments on commit cf4e2f9

Please sign in to comment.