chore!: Improve permissions check on teams endpoints (#32351)

RocketChat · Jul 18, 2024 · d6bf0da · d6bf0da
1 parent 56f96a4
commit d6bf0da
Showing 1 changed file with 54 additions and 0 deletions.
diff --git a/apps/meteor/tests/end-to-end/api/teams.ts b/apps/meteor/tests/end-to-end/api/teams.ts
@@ -734,6 +734,60 @@ describe('[Teams]', () => {
 		});
 	});
 
+	describe('/teams.listAll', () => {
+		let teamName;
+		before(async () => {
+			await updatePermission('view-all-teams', ['admin']);
+			teamName = `test-team-${Date.now()}`;
+			await request.post(api('teams.create')).set(credentials).send({
+				name: teamName,
+				type: 0,
+			});
+		});
+
+		after(() => Promise.all([deleteTeam(credentials, teamName), updatePermission('view-all-teams', ['admin'])]));
+
+		it('should list all teams', async () => {
+			await request
+				.get(api('teams.listAll'))
+				.set(credentials)
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('count');
+					expect(res.body).to.have.property('offset', 0);
+					expect(res.body).to.have.property('total');
+					expect(res.body).to.have.property('teams');
+					expect(res.body.teams).to.be.an('array').that.is.not.empty;
+					expect(res.body.teams[0]).to.include.property('_id');
+					expect(res.body.teams[0]).to.include.property('_updatedAt');
+					expect(res.body.teams[0]).to.include.property('name');
+					expect(res.body.teams[0]).to.include.property('type');
+					expect(res.body.teams[0]).to.include.property('roomId');
+					expect(res.body.teams[0]).to.include.property('createdBy');
+					expect(res.body.teams[0].createdBy).to.include.property('_id');
+					expect(res.body.teams[0].createdBy).to.include.property('username');
+					expect(res.body.teams[0]).to.include.property('createdAt');
+					expect(res.body.teams[0]).to.include.property('rooms');
+					expect(res.body.teams[0]).to.include.property('numberOfUsers');
+				});
+		});
+
+		it('should return an error when the user does NOT have the view-all-teams permission', async () => {
+			await updatePermission('view-all-teams', []);
+			await request
+				.get(api('teams.listAll'))
+				.set(credentials)
+				.expect('Content-Type', 'application/json')
+				.expect(403)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
+				});
+		});
+	});
+
 	describe('/teams.updateMember', () => {
 		let testTeam: ITeam;
 		const teamName = `test-team-update-member-${Date.now()}`;