refactor(api): implement permissions middleware for enhanced access control

ggazzo · ggazzo · commit bad4d7825e4e · 2026-03-05T11:42:37.000-03:00
diff --git a/apps/meteor/app/api/server/ApiClass.ts b/apps/meteor/app/api/server/ApiClass.ts
@@ -18,8 +18,7 @@ import type { RateLimiterOptionsToCheck } from 'meteor/rate-limit';
 import { RateLimiter } from 'meteor/rate-limit';
 import _ from 'underscore';
 
-import type { PermissionsPayload } from './api.helpers';
-import { checkPermissionsForInvocation, checkPermissions, parseDeprecation } from './api.helpers';
+import { parseDeprecation } from './api.helpers';
 import type {
 	FailureResult,
 	ForbiddenResult,
@@ -42,6 +41,7 @@ import type {
 import { getUserInfo } from './helpers/getUserInfo';
 import { parseJsonQuery } from './helpers/parseJsonQuery';
 import { authenticationMiddlewareForHono } from './middlewares/authenticationHono';
+import { permissionsMiddleware } from './middlewares/permissions';
 import type { APIActionContext } from './router';
 import { RocketChatAPIRouter } from './router';
 import { license } from '../../../ee/app/api-enterprise/server/middlewares/license';
@@ -781,8 +781,6 @@ export class APIClass<TBasePath extends string = '', TOperations extends Record<
 
 		const operations = endpoints;
 
-		const shouldVerifyPermissions = checkPermissions(options);
-
 		// Allow for more than one route using the same option and endpoints
 		if (!Array.isArray(subpaths)) {
 			subpaths = [subpaths];
@@ -856,31 +854,6 @@ export class APIClass<TBasePath extends string = '', TOperations extends Record<
 									throw new Meteor.Error('invalid-params', validatorFunc.errors?.map((error: any) => error.message).join('\n '));
 								}
 							}
-							if (shouldVerifyPermissions) {
-								if (!this.userId) {
-									if (applyBreakingChanges) {
-										throw new Meteor.Error('error-unauthorized', 'You must be logged in to do this');
-									}
-									throw new Meteor.Error('error-unauthorized', 'User does not have the permissions required for this action');
-								}
-								if (
-									!(await checkPermissionsForInvocation(
-										this.userId,
-										_options.permissionsRequired as PermissionsPayload,
-										this.request.method as Method,
-									))
-								) {
-									if (applyBreakingChanges) {
-										throw new Meteor.Error('error-forbidden', 'User does not have the permissions required for this action', {
-											permissions: _options.permissionsRequired,
-										});
-									}
-									throw new Meteor.Error('error-unauthorized', 'User does not have the permissions required for this action', {
-										permissions: _options.permissionsRequired,
-									});
-								}
-							}
-
 							if (
 								this.userId &&
 								(await api.processTwoFactor({
@@ -941,6 +914,7 @@ export class APIClass<TBasePath extends string = '', TOperations extends Record<
 						userWithoutUsername: options.userWithoutUsername,
 						logger,
 					}),
+					permissionsMiddleware(_options as TypedOptions),
 					license(_options as TypedOptions, License),
 					(operations[method as keyof Operations<TPathPattern, TOptions>] as Record<string, any>).action,
 				);
diff --git a/apps/meteor/app/api/server/middlewares/permissions.ts b/apps/meteor/app/api/server/middlewares/permissions.ts
@@ -0,0 +1,48 @@
+import type { Method } from '@rocket.chat/rest-typings';
+import type { MiddlewareHandler } from 'hono';
+
+import { applyBreakingChanges } from '../ApiClass';
+import { API } from '../api';
+import { type PermissionsPayload, checkPermissionsForInvocation } from '../api.helpers';
+import type { TypedOptions } from '../definition';
+import type { HonoContext } from '../router';
+
+export const permissionsMiddleware =
+	(options: TypedOptions): MiddlewareHandler =>
+	async (c: HonoContext, next) => {
+		if (!options.permissionsRequired) {
+			return next();
+		}
+
+		const user = c.get('user');
+
+		if (!user) {
+			const message = applyBreakingChanges
+				? 'You must be logged in to do this'
+				: 'User does not have the permissions required for this action';
+
+			const failure = API.v1.failure({ error: message, message });
+
+			return c.json(failure.body, failure.statusCode);
+		}
+
+		const hasPermission = await checkPermissionsForInvocation(
+			user._id,
+			options.permissionsRequired as PermissionsPayload,
+			c.req.method as Method,
+		);
+
+		if (!hasPermission) {
+			const message = 'User does not have the permissions required for this action';
+
+			if (applyBreakingChanges) {
+				const failure = API.v1.failure({ error: message, message });
+				return c.json(failure.body, failure.statusCode);
+			}
+
+			const failure = API.v1.failure({ error: message, message });
+			return c.json(failure.body, failure.statusCode);
+		}
+
+		return next();
+	};
