Skip to content

Commit

Permalink
[FIX] Permission view-all-teams is not checked in the teams.info
Browse files Browse the repository at this point in the history
…endpoint (#25841)

Co-authored-by: Matheus Barbosa Silva <36537004+matheusbsilva137@users.noreply.github.com>
  • Loading branch information
2 people authored and csuarez committed Aug 26, 2022
1 parent 854070a commit 733d847
Show file tree
Hide file tree
Showing 2 changed files with 85 additions and 2 deletions.
16 changes: 14 additions & 2 deletions apps/meteor/app/api/server/v1/teams.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ import type { ITeam } from '@rocket.chat/core-typings';
import { TEAM_TYPE } from '@rocket.chat/core-typings';

import { removeUserFromRoom } from '../../../lib/server/functions/removeUserFromRoom';
import { Users } from '../../../models/server';
import { hasAtLeastOnePermission, hasPermission } from '../../../authorization/server';
import { Rooms, Users } from '../../../models/server';
import { canAccessRoom, hasAtLeastOnePermission, hasPermission } from '../../../authorization/server';
import { Team } from '../../../../server/sdk';
import { API } from '../api';

Expand Down Expand Up @@ -576,6 +576,18 @@ API.v1.addRoute(
return API.v1.failure('Team not found');
}

const room = Rooms.findOneById(teamInfo.roomId);

if (!room) {
return API.v1.failure('Room not found');
}

const canViewInfo = canAccessRoom(room, { _id: this.userId }) || hasPermission(this.userId, 'view-all-teams');

if (!canViewInfo) {
return API.v1.unauthorized();
}

return API.v1.success({ teamInfo });
},
},
Expand Down
71 changes: 71 additions & 0 deletions apps/meteor/tests/end-to-end/api/25-teams.js
Original file line number Diff line number Diff line change
Expand Up @@ -819,6 +819,77 @@ describe('[Teams]', () => {
});
});

describe('/teams.info', () => {
it('should successfully get a team info by name', (done) => {
request
.get(api('teams.info'))
.set(credentials)
.query({
teamName: publicTeam.name,
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect((response) => {
expect(response.body).to.have.property('success', true);
expect(response.body).to.have.property('teamInfo');
expect(response.body.teamInfo).to.have.property('_id', publicTeam._id);
expect(response.body.teamInfo).to.have.property('name', publicTeam.name);
})
.then(() => done())
.catch(done);
});
it('should successfully get a team info by id', (done) => {
request
.get(api('teams.info'))
.set(credentials)
.query({
teamId: publicTeam._id,
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect((response) => {
expect(response.body).to.have.property('success', true);
expect(response.body).to.have.property('teamInfo');
expect(response.body.teamInfo).to.have.property('_id', publicTeam._id);
expect(response.body.teamInfo).to.have.property('name', publicTeam.name);
})
.then(() => done())
.catch(done);
});
it('should fail if a team is not found', (done) => {
request
.get(api('teams.info'))
.set(credentials)
.query({
teamName: '',
})
.expect('Content-Type', 'application/json')
.expect(400)
.expect((response) => {
expect(response.body).to.have.property('success', false);
expect(response.body).to.have.property('error', 'Team not found');
})
.then(() => done())
.catch(done);
});
it('should fail if a user doesnt belong to a team', (done) => {
request
.get(api('teams.info'))
.set(testUserCredentials)
.query({
teamName: privateTeam.name,
})
.expect('Content-Type', 'application/json')
.expect(403)
.expect((response) => {
expect(response.body).to.have.property('success', false);
expect(response.body).to.have.property('error', 'unauthorized');
})
.then(() => done())
.catch(done);
});
});

describe('/teams.delete', () => {
describe('deleting an empty team', () => {
let roomId;
Expand Down

0 comments on commit 733d847

Please sign in to comment.