Skip to content

Commit

Permalink
chore!: Improve permissions check on misc endpoints (#32337)
Browse files Browse the repository at this point in the history
  • Loading branch information
matheusbsilva137 authored and ggazzo committed May 15, 2024
1 parent fe55884 commit d2530d3
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 5 deletions.
6 changes: 1 addition & 5 deletions apps/meteor/app/api/server/v1/misc.ts
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ import { v4 as uuidv4 } from 'uuid';
import { i18n } from '../../../../server/lib/i18n';
import { SystemLogger } from '../../../../server/lib/logger/system';
import { getLogs } from '../../../../server/stream/stdout';
import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
import { passwordPolicy } from '../../../lib/server';
import { settings } from '../../../settings/server';
import { getDefaultUserFields } from '../../../utils/server/functions/getDefaultUserFields';
Expand Down Expand Up @@ -472,12 +471,9 @@ API.v1.addRoute(
*/
API.v1.addRoute(
'stdout.queue',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['view-logs'] },
{
async get() {
if (!(await hasPermissionAsync(this.userId, 'view-logs'))) {
return API.v1.unauthorized();
}
return API.v1.success({ queue: getLogs() });
},
},
Expand Down
39 changes: 39 additions & 0 deletions apps/meteor/tests/end-to-end/api/00-miscellaneous.js
Original file line number Diff line number Diff line change
Expand Up @@ -693,4 +693,43 @@ describe('miscellaneous', function () {
.end(done);
});
});

describe('/stdout.queue', () => {
before(async () => {
return updatePermission('view-logs', ['admin']);
});

after(async () => {
return updatePermission('view-logs', ['admin']);
});

it('should return server logs', async () => {
return request
.get(api('stdout.queue'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('queue').and.to.be.an('array').that.is.not.empty;
expect(res.body.queue[0]).to.be.an('object');
expect(res.body.queue[0]).to.have.property('id').and.to.be.a('string');
expect(res.body.queue[0]).to.have.property('string').and.to.be.a('string');
expect(res.body.queue[0]).to.have.property('ts').and.to.be.a('string');
});
});

it('should not return server logs if user does NOT have the view-logs permission', async () => {
await updatePermission('view-logs', []);
return request
.get(api('stdout.queue'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(403)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
});
});
});
});

0 comments on commit d2530d3

Please sign in to comment.