Skip to content

Commit

Permalink
chore!: Remove upsert users capability through the users.update end…
Browse files Browse the repository at this point in the history
…point (#31889)

* Do not allow unused joinDefaultChannels param in users.update

* Do not allow user creation on users.update endpoint

---------

Co-authored-by: Marcos Spessatto Defendi <[email protected]>
  • Loading branch information
2 people authored and ggazzo committed Oct 11, 2024
1 parent c588368 commit a78cea5
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 5 deletions.
6 changes: 6 additions & 0 deletions .changeset/four-snakes-deny.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
"@rocket.chat/meteor": major
"@rocket.chat/rest-typings": major
---

Removed upsert behavior on `users.update` endpoint (`joinDefaultChannels` param or empty `userId` are not allowed anymore)
36 changes: 36 additions & 0 deletions apps/meteor/tests/end-to-end/api/users.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1675,6 +1675,42 @@ describe('[Users]', () => {
.end(done);
});

it('should return an error when trying to upsert a user by sending an empty userId', () => {
return request
.post(api('users.update'))
.set(credentials)
.send({
userId: '',
data: {},
})
.expect('Content-Type', 'application/json')
.expect(400)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('errorType', 'invalid-params');
expect(res.body).to.have.property('error', 'must NOT have fewer than 1 characters [invalid-params]');
});
});

it('should return an error when trying to use the joinDefaultChannels param, which is not intended for updates', () => {
return request
.post(api('users.update'))
.set(credentials)
.send({
userId: targetUser._id,
data: {
joinDefaultChannels: true,
},
})
.expect('Content-Type', 'application/json')
.expect(400)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('errorType', 'invalid-params');
expect(res.body).to.have.property('error', 'must NOT have additional properties [invalid-params]');
});
});

it("should update a bot's email", (done) => {
void request
.post(api('users.update'))
Expand Down
6 changes: 1 addition & 5 deletions packages/rest-typings/src/v1/users/UsersUpdateParamsPOST.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ export type UsersUpdateParamsPOST = {
nickname?: string;
statusText?: string;
roles?: string[];
joinDefaultChannels?: boolean;
requirePasswordChange?: boolean;
setRandomPassword?: boolean;
sendWelcomeEmail?: boolean;
Expand All @@ -32,6 +31,7 @@ const UsersUpdateParamsPostSchema = {
properties: {
userId: {
type: 'string',
minLength: 1,
},
confirmRelinquish: {
type: 'boolean',
Expand Down Expand Up @@ -78,10 +78,6 @@ const UsersUpdateParamsPostSchema = {
},
nullable: true,
},
joinDefaultChannels: {
type: 'boolean',
nullable: true,
},
requirePasswordChange: {
type: 'boolean',
nullable: true,
Expand Down

0 comments on commit a78cea5

Please sign in to comment.