From 3d2eba3eceea917f478613de4026eb6546134f26 Mon Sep 17 00:00:00 2001 From: Matheus Barbosa Silva <36537004+matheusbsilva137@users.noreply.github.com> Date: Tue, 14 May 2024 18:10:09 -0300 Subject: [PATCH] chore!: Improve permissions check on misc endpoints (#32337) --- apps/meteor/app/api/server/v1/misc.ts | 6 +-- .../tests/end-to-end/api/00-miscellaneous.js | 39 +++++++++++++++++++ 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/apps/meteor/app/api/server/v1/misc.ts b/apps/meteor/app/api/server/v1/misc.ts index bdf6fa2dd1c6..11207b21ee8b 100644 --- a/apps/meteor/app/api/server/v1/misc.ts +++ b/apps/meteor/app/api/server/v1/misc.ts @@ -22,7 +22,6 @@ import { v4 as uuidv4 } from 'uuid'; import { i18n } from '../../../../server/lib/i18n'; import { SystemLogger } from '../../../../server/lib/logger/system'; import { getLogs } from '../../../../server/stream/stdout'; -import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission'; import { passwordPolicy } from '../../../lib/server'; import { settings } from '../../../settings/server'; import { getDefaultUserFields } from '../../../utils/server/functions/getDefaultUserFields'; @@ -472,12 +471,9 @@ API.v1.addRoute( */ API.v1.addRoute( 'stdout.queue', - { authRequired: true }, + { authRequired: true, permissionsRequired: ['view-logs'] }, { async get() { - if (!(await hasPermissionAsync(this.userId, 'view-logs'))) { - return API.v1.unauthorized(); - } return API.v1.success({ queue: getLogs() }); }, }, diff --git a/apps/meteor/tests/end-to-end/api/00-miscellaneous.js b/apps/meteor/tests/end-to-end/api/00-miscellaneous.js index a96865aa8419..2d0744403796 100644 --- a/apps/meteor/tests/end-to-end/api/00-miscellaneous.js +++ b/apps/meteor/tests/end-to-end/api/00-miscellaneous.js @@ -693,4 +693,43 @@ describe('miscellaneous', function () { .end(done); }); }); + + describe('/stdout.queue', () => { + before(async () => { + return updatePermission('view-logs', ['admin']); + }); + + after(async () => { + return updatePermission('view-logs', ['admin']); + }); + + it('should return server logs', async () => { + return request + .get(api('stdout.queue')) + .set(credentials) + .expect('Content-Type', 'application/json') + .expect(200) + .expect((res) => { + expect(res.body).to.have.property('success', true); + expect(res.body).to.have.property('queue').and.to.be.an('array').that.is.not.empty; + expect(res.body.queue[0]).to.be.an('object'); + expect(res.body.queue[0]).to.have.property('id').and.to.be.a('string'); + expect(res.body.queue[0]).to.have.property('string').and.to.be.a('string'); + expect(res.body.queue[0]).to.have.property('ts').and.to.be.a('string'); + }); + }); + + it('should not return server logs if user does NOT have the view-logs permission', async () => { + await updatePermission('view-logs', []); + return request + .get(api('stdout.queue')) + .set(credentials) + .expect('Content-Type', 'application/json') + .expect(403) + .expect((res) => { + expect(res.body).to.have.property('success', false); + expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]'); + }); + }); + }); });