From 3b3d7cf990e7803a69930b0993f96d3b664abc1d Mon Sep 17 00:00:00 2001
From: Matheus Barbosa Silva
 <36537004+matheusbsilva137@users.noreply.github.com>
Date: Tue, 14 May 2024 18:10:09 -0300
Subject: [PATCH] chore!: Improve permissions check on misc endpoints (#32337)

---
 apps/meteor/app/api/server/v1/misc.ts         |  6 +--
 .../tests/end-to-end/api/00-miscellaneous.js  | 39 +++++++++++++++++++
 2 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/apps/meteor/app/api/server/v1/misc.ts b/apps/meteor/app/api/server/v1/misc.ts
index bdf6fa2dd1c6..11207b21ee8b 100644
--- a/apps/meteor/app/api/server/v1/misc.ts
+++ b/apps/meteor/app/api/server/v1/misc.ts
@@ -22,7 +22,6 @@ import { v4 as uuidv4 } from 'uuid';
 import { i18n } from '../../../../server/lib/i18n';
 import { SystemLogger } from '../../../../server/lib/logger/system';
 import { getLogs } from '../../../../server/stream/stdout';
-import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { passwordPolicy } from '../../../lib/server';
 import { settings } from '../../../settings/server';
 import { getDefaultUserFields } from '../../../utils/server/functions/getDefaultUserFields';
@@ -472,12 +471,9 @@ API.v1.addRoute(
  */
 API.v1.addRoute(
 	'stdout.queue',
-	{ authRequired: true },
+	{ authRequired: true, permissionsRequired: ['view-logs'] },
 	{
 		async get() {
-			if (!(await hasPermissionAsync(this.userId, 'view-logs'))) {
-				return API.v1.unauthorized();
-			}
 			return API.v1.success({ queue: getLogs() });
 		},
 	},
diff --git a/apps/meteor/tests/end-to-end/api/00-miscellaneous.js b/apps/meteor/tests/end-to-end/api/00-miscellaneous.js
index b4fb482a4f5a..bb4632b14698 100644
--- a/apps/meteor/tests/end-to-end/api/00-miscellaneous.js
+++ b/apps/meteor/tests/end-to-end/api/00-miscellaneous.js
@@ -694,4 +694,43 @@ describe('miscellaneous', function () {
 				.end(done);
 		});
 	});
+
+	describe('/stdout.queue', () => {
+		before(async () => {
+			return updatePermission('view-logs', ['admin']);
+		});
+
+		after(async () => {
+			return updatePermission('view-logs', ['admin']);
+		});
+
+		it('should return server logs', async () => {
+			return request
+				.get(api('stdout.queue'))
+				.set(credentials)
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('queue').and.to.be.an('array').that.is.not.empty;
+					expect(res.body.queue[0]).to.be.an('object');
+					expect(res.body.queue[0]).to.have.property('id').and.to.be.a('string');
+					expect(res.body.queue[0]).to.have.property('string').and.to.be.a('string');
+					expect(res.body.queue[0]).to.have.property('ts').and.to.be.a('string');
+				});
+		});
+
+		it('should not return server logs if user does NOT have the view-logs permission', async () => {
+			await updatePermission('view-logs', []);
+			return request
+				.get(api('stdout.queue'))
+				.set(credentials)
+				.expect('Content-Type', 'application/json')
+				.expect(403)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
+				});
+		});
+	});
 });