From d6bf0daa1d67607cf1eb6dd3fb53ec82315901b1 Mon Sep 17 00:00:00 2001
From: Matheus Barbosa Silva
 <36537004+matheusbsilva137@users.noreply.github.com>
Date: Thu, 9 May 2024 17:49:56 -0300
Subject: [PATCH] chore!: Improve permissions check on teams endpoints (#32351)

---
 apps/meteor/tests/end-to-end/api/teams.ts | 54 +++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/apps/meteor/tests/end-to-end/api/teams.ts b/apps/meteor/tests/end-to-end/api/teams.ts
index 7a8e846fbe97a..4b61dd3d2daa8 100644
--- a/apps/meteor/tests/end-to-end/api/teams.ts
+++ b/apps/meteor/tests/end-to-end/api/teams.ts
@@ -734,6 +734,60 @@ describe('[Teams]', () => {
 		});
 	});
 
+	describe('/teams.listAll', () => {
+		let teamName;
+		before(async () => {
+			await updatePermission('view-all-teams', ['admin']);
+			teamName = `test-team-${Date.now()}`;
+			await request.post(api('teams.create')).set(credentials).send({
+				name: teamName,
+				type: 0,
+			});
+		});
+
+		after(() => Promise.all([deleteTeam(credentials, teamName), updatePermission('view-all-teams', ['admin'])]));
+
+		it('should list all teams', async () => {
+			await request
+				.get(api('teams.listAll'))
+				.set(credentials)
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('count');
+					expect(res.body).to.have.property('offset', 0);
+					expect(res.body).to.have.property('total');
+					expect(res.body).to.have.property('teams');
+					expect(res.body.teams).to.be.an('array').that.is.not.empty;
+					expect(res.body.teams[0]).to.include.property('_id');
+					expect(res.body.teams[0]).to.include.property('_updatedAt');
+					expect(res.body.teams[0]).to.include.property('name');
+					expect(res.body.teams[0]).to.include.property('type');
+					expect(res.body.teams[0]).to.include.property('roomId');
+					expect(res.body.teams[0]).to.include.property('createdBy');
+					expect(res.body.teams[0].createdBy).to.include.property('_id');
+					expect(res.body.teams[0].createdBy).to.include.property('username');
+					expect(res.body.teams[0]).to.include.property('createdAt');
+					expect(res.body.teams[0]).to.include.property('rooms');
+					expect(res.body.teams[0]).to.include.property('numberOfUsers');
+				});
+		});
+
+		it('should return an error when the user does NOT have the view-all-teams permission', async () => {
+			await updatePermission('view-all-teams', []);
+			await request
+				.get(api('teams.listAll'))
+				.set(credentials)
+				.expect('Content-Type', 'application/json')
+				.expect(403)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
+				});
+		});
+	});
+
 	describe('/teams.updateMember', () => {
 		let testTeam: ITeam;
 		const teamName = `test-team-update-member-${Date.now()}`;