Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore!: Improve permissions check on im endpoints #32333

Merged
merged 20 commits into from
May 13, 2024
Merged

chore!: Improve permissions check on im endpoints #32333

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
5cea67f
chore: bump 7.0.0
ggazzo Apr 8, 2024
9b3d017
fix!: api login should not suggest which credential is wrong (#32159)
ggazzo Apr 9, 2024
8d5b603
chore!: remove hipchat importer (#32154)
pierre-lehnen-rc Apr 11, 2024
c2ab323
chore!: Removed Mongo 4.4. support and added 7.0 (#32162)
ggazzo Apr 12, 2024
68fee68
rebase with mongo
ggazzo Apr 24, 2024
42bde44
chore: Improve permissions check on im endpoints
matheusbsilva137 Apr 29, 2024
94b238d
chore: bump 7.0.0
ggazzo Apr 8, 2024
fcc9265
fix!: api login should not suggest which credential is wrong (#32159)
ggazzo Apr 9, 2024
cd0313b
chore!: remove hipchat importer (#32154)
pierre-lehnen-rc Apr 11, 2024
405da2a
chore!: Removed Mongo 4.4. support and added 7.0 (#32162)
ggazzo Apr 12, 2024
ce31b9d
rebase with mongo
ggazzo Apr 24, 2024
1c13d06
chore!: Improve permissions check on channels endpoints (#32330)
matheusbsilva137 May 3, 2024
8f45647
chore: Improve permissions check on cloud endpoints (#32331)
matheusbsilva137 May 3, 2024
ecaa003
chore: Improve permissions check on instances endpoints (#32334)
matheusbsilva137 May 3, 2024
5ee72d7
chore: Improve permissions check on LDAP endpoints (#32335)
matheusbsilva137 May 3, 2024
cb2fa7f
chore!: Improve permissions check on mailer endpoints (#32336)
matheusbsilva137 May 3, 2024
c42eef9
chore: Improve permissions check on users endpoints (#32353)
matheusbsilva137 May 7, 2024
5d45aed
Merge branch 'release-7.0.0' into chore/permissions-check-im
matheusbsilva137 May 7, 2024
9678f22
Merge branch 'release-7.0.0' into chore/permissions-check-im
matheusbsilva137 May 10, 2024
e696d53
test: add one more test case
matheusbsilva137 May 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 2 additions & 10 deletions apps/meteor/app/api/server/v1/im.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -395,7 +395,7 @@ API.v1.addRoute(

API.v1.addRoute(
['dm.messages.others', 'im.messages.others'],
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['view-room-administration'] },
{
async get() {
if (settings.get('API_Enable_Direct_Message_History_EndPoint') !== true) {
Expand All @@ -404,10 +404,6 @@ API.v1.addRoute(
});
}

if (!(await hasPermissionAsync(this.userId, 'view-room-administration'))) {
return API.v1.unauthorized();
}

const { roomId } = this.queryParams;
if (!roomId) {
throw new Meteor.Error('error-roomid-param-not-provided', 'The parameter "roomId" is required');
Expand Down Expand Up @@ -483,13 +479,9 @@ API.v1.addRoute(

API.v1.addRoute(
['dm.list.everyone', 'im.list.everyone'],
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['view-room-administration'] },
{
async get() {
if (!(await hasPermissionAsync(this.userId, 'view-room-administration'))) {
return API.v1.unauthorized();
}

const { offset, count }: { offset: number; count: number } = await getPaginationItems(this.queryParams);
const { sort, fields, query } = await this.parseJsonQuery();

Expand Down
182 changes: 106 additions & 76 deletions apps/meteor/tests/end-to-end/api/04-direct-message.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,29 +206,51 @@ describe('[Direct Messages]', function () {
.end(done);
});

it('/im.list.everyone', (done) => {
request
.get(api('im.list.everyone'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('count', 1);
expect(res.body).to.have.property('total', 1);
expect(res.body).to.have.property('ims').and.to.be.an('array');
const im = res.body.ims[0];
expect(im).to.have.property('_id');
expect(im).to.have.property('t').and.to.be.eq('d');
expect(im).to.have.property('msgs').and.to.be.a('number');
expect(im).to.have.property('usernames').and.to.be.an('array');
expect(im).to.have.property('ro');
expect(im).to.have.property('sysMes');
expect(im).to.have.property('_updatedAt');
expect(im).to.have.property('ts');
expect(im).to.have.property('lastMessage');
})
.end(done);
describe('/im.list.everyone', () => {
before(async () => {
return updatePermission('view-room-administration', ['admin']);
});

after(async () => {
return updatePermission('view-room-administration', ['admin']);
});

it('should succesfully return a list of direct messages', async () => {
await request
.get(api('im.list.everyone'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('count', 1);
expect(res.body).to.have.property('total', 1);
expect(res.body).to.have.property('ims').and.to.be.an('array');
const im = res.body.ims[0];
expect(im).to.have.property('_id');
expect(im).to.have.property('t').and.to.be.eq('d');
expect(im).to.have.property('msgs').and.to.be.a('number');
expect(im).to.have.property('usernames').and.to.be.an('array');
expect(im).to.have.property('ro');
expect(im).to.have.property('sysMes');
expect(im).to.have.property('_updatedAt');
expect(im).to.have.property('ts');
expect(im).to.have.property('lastMessage');
});
});

it('should fail if user does NOT have the view-room-administration permission', async () => {
await updatePermission('view-room-administration', []);
await request
.get(api('im.list.everyone'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
});
});
});

describe("Setting: 'Use Real Name': true", () => {
Expand Down Expand Up @@ -355,63 +377,71 @@ describe('[Direct Messages]', function () {
});

describe('/im.messages.others', () => {
matheusbsilva137 marked this conversation as resolved.
Show resolved Hide resolved
it('should fail when the endpoint is disabled', (done) => {
updateSetting('API_Enable_Direct_Message_History_EndPoint', false).then(() => {
request
.get(api('im.messages.others'))
.set(credentials)
.query({
roomId: directMessage._id,
})
.expect('Content-Type', 'application/json')
.expect(400)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('errorType', 'error-endpoint-disabled');
})
.end(done);
});
it('should fail when the endpoint is disabled and the user has permissions', async () => {
await updateSetting('API_Enable_Direct_Message_History_EndPoint', false);
await request
.get(api('im.messages.others'))
.set(credentials)
.query({
roomId: directMessage._id,
})
.expect('Content-Type', 'application/json')
.expect(400)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('errorType', 'error-endpoint-disabled');
});
});
it('should fail when the endpoint is enabled but the user doesnt have permission', (done) => {
updateSetting('API_Enable_Direct_Message_History_EndPoint', true).then(() => {
updatePermission('view-room-administration', []).then(() => {
request
.get(api('im.messages.others'))
.set(credentials)
.query({
roomId: directMessage._id,
})
.expect('Content-Type', 'application/json')
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'unauthorized');
})
.end(done);
it('should fail when the endpoint is disabled and the user doesnt have permission', async () => {
await updateSetting('API_Enable_Direct_Message_History_EndPoint', false);
await updatePermission('view-room-administration', ['admin']);
await request
.get(api('im.messages.others'))
.set(credentials)
.query({
roomId: directMessage._id,
})
.expect('Content-Type', 'application/json')
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
});
});
});
it('should succeed when the endpoint is enabled and user has permission', (done) => {
updateSetting('API_Enable_Direct_Message_History_EndPoint', true).then(() => {
updatePermission('view-room-administration', ['admin']).then(() => {
request
.get(api('im.messages.others'))
.set(credentials)
.query({
roomId: directMessage._id,
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('messages').and.to.be.an('array');
expect(res.body).to.have.property('offset');
expect(res.body).to.have.property('count');
expect(res.body).to.have.property('total');
})
.end(done);
it('should fail when the endpoint is enabled but the user doesnt have permission', async () => {
await updateSetting('API_Enable_Direct_Message_History_EndPoint', true);
await updatePermission('view-room-administration', []);
await request
.get(api('im.messages.others'))
.set(credentials)
.query({
roomId: directMessage._id,
})
.expect('Content-Type', 'application/json')
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
});
});
it('should succeed when the endpoint is enabled and user has permission', async () => {
await updateSetting('API_Enable_Direct_Message_History_EndPoint', true);
await updatePermission('view-room-administration', ['admin']);
await request
.get(api('im.messages.others'))
.set(credentials)
.query({
roomId: directMessage._id,
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('messages').and.to.be.an('array');
expect(res.body).to.have.property('offset');
expect(res.body).to.have.property('count');
expect(res.body).to.have.property('total');
});
});
});
});

Expand Down
Loading