refactor(api): implement permissions middleware for enhanced access control

ggazzo · ggazzo · commit f581e708e321 · 2026-03-05T10:11:24.000-03:00
diff --git a/apps/meteor/app/api/server/ApiClass.ts b/apps/meteor/app/api/server/ApiClass.ts
@@ -18,8 +18,7 @@ import type { RateLimiterOptionsToCheck } from 'meteor/rate-limit';
 import { RateLimiter } from 'meteor/rate-limit';
 import _ from 'underscore';
 
-import type { PermissionsPayload } from './api.helpers';
-import { checkPermissionsForInvocation, checkPermissions, parseDeprecation } from './api.helpers';
+import { checkPermissions, parseDeprecation } from './api.helpers';
 import type {
 	FailureResult,
 	ForbiddenResult,
@@ -42,6 +41,7 @@ import type {
 import { getUserInfo } from './helpers/getUserInfo';
 import { parseJsonQuery } from './helpers/parseJsonQuery';
 import { authenticationMiddlewareForHono } from './middlewares/authenticationHono';
+import { permissionsMiddleware } from './middlewares/permissions';
 import type { APIActionContext } from './router';
 import { RocketChatAPIRouter } from './router';
 import { license } from '../../../ee/app/api-enterprise/server/middlewares/license';
@@ -856,31 +856,6 @@ export class APIClass<TBasePath extends string = '', TOperations extends Record<
 									throw new Meteor.Error('invalid-params', validatorFunc.errors?.map((error: any) => error.message).join('\n '));
 								}
 							}
-							if (shouldVerifyPermissions) {
-								if (!this.userId) {
-									if (applyBreakingChanges) {
-										throw new Meteor.Error('error-unauthorized', 'You must be logged in to do this');
-									}
-									throw new Meteor.Error('error-unauthorized', 'User does not have the permissions required for this action');
-								}
-								if (
-									!(await checkPermissionsForInvocation(
-										this.userId,
-										_options.permissionsRequired as PermissionsPayload,
-										this.request.method as Method,
-									))
-								) {
-									if (applyBreakingChanges) {
-										throw new Meteor.Error('error-forbidden', 'User does not have the permissions required for this action', {
-											permissions: _options.permissionsRequired,
-										});
-									}
-									throw new Meteor.Error('error-unauthorized', 'User does not have the permissions required for this action', {
-										permissions: _options.permissionsRequired,
-									});
-								}
-							}
-
 							if (
 								this.userId &&
 								(await api.processTwoFactor({
@@ -935,14 +910,17 @@ export class APIClass<TBasePath extends string = '', TOperations extends Record<
 				this.router[method.toLowerCase() as 'get' | 'post' | 'put' | 'delete'](
 					`/${route}`.replaceAll('//', '/'),
 					{ ..._options, tags } as TypedOptions,
-					authenticationMiddlewareForHono(this, {
-						authRequired: options.authRequired,
-						authOrAnonRequired: options.authOrAnonRequired,
-						userWithoutUsername: options.userWithoutUsername,
-						logger,
-					}),
-					license(_options as TypedOptions, License),
-					(operations[method as keyof Operations<TPathPattern, TOptions>] as Record<string, any>).action,
+					[
+						authenticationMiddlewareForHono(this, {
+							authRequired: options.authRequired,
+							authOrAnonRequired: options.authOrAnonRequired,
+							userWithoutUsername: options.userWithoutUsername,
+							logger,
+						}),
+						shouldVerifyPermissions && permissionsMiddleware(_options as TypedOptions),
+						license(_options as TypedOptions, License),
+						(operations[method as keyof Operations<TPathPattern, TOptions>] as Record<string, any>).action,
+					].filter(Boolean),
 				);
 				this._routes.push({
 					path: route,
diff --git a/apps/meteor/app/api/server/middlewares/permissions.ts b/apps/meteor/app/api/server/middlewares/permissions.ts
@@ -0,0 +1,48 @@
+import type { Method } from '@rocket.chat/rest-typings';
+import type { MiddlewareHandler } from 'hono';
+
+import { applyBreakingChanges } from '../ApiClass';
+import { API } from '../api';
+import { type PermissionsPayload, checkPermissionsForInvocation } from '../api.helpers';
+import type { TypedOptions } from '../definition';
+import type { HonoContext } from '../router';
+
+export const permissionsMiddleware =
+	(options: TypedOptions): MiddlewareHandler =>
+	async (c: HonoContext, next) => {
+		if (!options.permissionsRequired) {
+			return next();
+		}
+
+		const user = c.get('user');
+
+		if (!user) {
+			const message = applyBreakingChanges
+				? 'You must be logged in to do this'
+				: 'User does not have the permissions required for this action';
+
+			const failure = API.v1.failure({ error: message, message });
+
+			return c.json(failure.body, failure.statusCode);
+		}
+
+		const hasPermission = await checkPermissionsForInvocation(
+			user._id,
+			options.permissionsRequired as PermissionsPayload,
+			c.req.method as Method,
+		);
+
+		if (!hasPermission) {
+			const message = 'User does not have the permissions required for this action';
+
+			if (applyBreakingChanges) {
+				const failure = API.v1.failure({ error: message, message });
+				return c.json(failure.body, failure.statusCode);
+			}
+
+			const failure = API.v1.failure({ error: message, message });
+			return c.json(failure.body, failure.statusCode);
+		}
+
+		return next();
+	};
