From ddd321443ac1d1472dfaf906e84e3892667cd33d Mon Sep 17 00:00:00 2001
From: Matheus Barbosa Silva
 <36537004+matheusbsilva137@users.noreply.github.com>
Date: Mon, 13 May 2024 09:00:35 -0300
Subject: [PATCH] chore!: Improve permissions check on licenses endpoints
 (#32354)

---
 apps/meteor/ee/server/api/licenses.ts           | 6 +-----
 apps/meteor/tests/end-to-end/api/20-licenses.js | 2 +-
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/apps/meteor/ee/server/api/licenses.ts b/apps/meteor/ee/server/api/licenses.ts
index db3d73911ef0..355cd3c61834 100644
--- a/apps/meteor/ee/server/api/licenses.ts
+++ b/apps/meteor/ee/server/api/licenses.ts
@@ -40,17 +40,13 @@ API.v1.addRoute(
 
 API.v1.addRoute(
 	'licenses.add',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['edit-privileged-setting'] },
 	{
 		async post() {
 			check(this.bodyParams, {
 				license: String,
 			});
 
-			if (!(await hasPermissionAsync(this.userId, 'edit-privileged-setting'))) {
-				return API.v1.unauthorized();
-			}
-
 			const { license } = this.bodyParams;
 			if (!(await License.validateFormat(license))) {
 				return API.v1.failure('Invalid license');
diff --git a/apps/meteor/tests/end-to-end/api/20-licenses.js b/apps/meteor/tests/end-to-end/api/20-licenses.js
index 83867712a80d..b9977c0e753b 100644
--- a/apps/meteor/tests/end-to-end/api/20-licenses.js
+++ b/apps/meteor/tests/end-to-end/api/20-licenses.js
@@ -46,7 +46,7 @@ describe('licenses', function () {
 				.expect(403)
 				.expect((res) => {
 					expect(res.body).to.have.property('success', false);
-					expect(res.body).to.have.property('error', 'unauthorized');
+					expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
 				})
 				.end(done);
 		});