diff --git a/.changeset/dry-jeans-thank.md b/.changeset/dry-jeans-thank.md new file mode 100644 index 0000000000000..516d38e70471b --- /dev/null +++ b/.changeset/dry-jeans-thank.md @@ -0,0 +1,5 @@ +--- +"@rocket.chat/meteor": patch +--- + +Fixes an issue that allowed departments to be removed via API even with setting `Omnichannel_enable_department_removal` disabled diff --git a/apps/meteor/app/livechat/imports/server/rest/departments.ts b/apps/meteor/app/livechat/imports/server/rest/departments.ts index 2ded03a521236..1be4c54e74971 100644 --- a/apps/meteor/app/livechat/imports/server/rest/departments.ts +++ b/apps/meteor/app/livechat/imports/server/rest/departments.ts @@ -6,6 +6,7 @@ import { Match, check } from 'meteor/check'; import { API } from '../../../../api/server'; import { getPaginationItems } from '../../../../api/server/helpers/getPaginationItems'; import { hasPermissionAsync } from '../../../../authorization/server/functions/hasPermission'; +import { settings } from '../../../../settings/server'; import { findDepartments, findDepartmentById, @@ -164,6 +165,12 @@ API.v1.addRoute( _id: String, }); + const isRemoveEnabled = settings.get('Omnichannel_enable_department_removal'); + + if (!isRemoveEnabled) { + return API.v1.failure('error-department-removal-disabled'); + } + await removeDepartment(this.urlParams._id); return API.v1.success(); diff --git a/apps/meteor/tests/end-to-end/api/livechat/00-rooms.ts b/apps/meteor/tests/end-to-end/api/livechat/00-rooms.ts index d1f783913e87b..06c62e8a96dfb 100644 --- a/apps/meteor/tests/end-to-end/api/livechat/00-rooms.ts +++ b/apps/meteor/tests/end-to-end/api/livechat/00-rooms.ts @@ -76,12 +76,16 @@ describe('LIVECHAT - rooms', () => { before(async () => { await updateSetting('Livechat_enabled', true); await updateEESetting('Livechat_Require_Contact_Verification', 'never'); + await updateSetting('Omnichannel_enable_department_removal', true); await createAgent(); await makeAgentAvailable(); visitor = await createVisitor(); room = await createLivechatRoom(visitor.token); }); + after(async () => { + await updateSetting('Omnichannel_enable_department_removal', false); + }); describe('livechat/room', () => { it('should fail when token is not passed as query parameter', async () => { diff --git a/apps/meteor/tests/end-to-end/api/livechat/01-agents.ts b/apps/meteor/tests/end-to-end/api/livechat/01-agents.ts index 3ff3eeb291d98..b9c143c4b1c5c 100644 --- a/apps/meteor/tests/end-to-end/api/livechat/01-agents.ts +++ b/apps/meteor/tests/end-to-end/api/livechat/01-agents.ts @@ -37,6 +37,7 @@ describe('LIVECHAT - Agents', () => { await updateSetting('Livechat_enabled', true); await updateSetting('Livechat_Routing_Method', 'Manual_Selection'); await updateEESetting('Livechat_Require_Contact_Verification', 'never'); + await updateSetting('Omnichannel_enable_department_removal', true); agent = await createAgent(); manager = await createManager(); }); @@ -55,6 +56,7 @@ describe('LIVECHAT - Agents', () => { }); after(async () => { + await updateSetting('Omnichannel_enable_department_removal', false); await deleteUser(agent2.user); }); diff --git a/apps/meteor/tests/end-to-end/api/livechat/07-queue.ts b/apps/meteor/tests/end-to-end/api/livechat/07-queue.ts index d6bb66be4d867..10b4df54667ce 100644 --- a/apps/meteor/tests/end-to-end/api/livechat/07-queue.ts +++ b/apps/meteor/tests/end-to-end/api/livechat/07-queue.ts @@ -40,12 +40,17 @@ describe('LIVECHAT - Queue', () => { updateSetting('Livechat_enabled', true), updateSetting('Livechat_Routing_Method', 'Auto_Selection'), updateEESetting('Livechat_Require_Contact_Verification', 'never'), + updateSetting('Omnichannel_enable_department_removal', true), // this cleanup is required since previous tests left the DB dirty cleanupRooms(), ]), ); + after(async () => { + await updateSetting('Omnichannel_enable_department_removal', false); + }); + describe('livechat/queue', () => { it('should return an "unauthorized error" when the user does not have the necessary permission', async () => { await updatePermission('view-l-room', []); diff --git a/apps/meteor/tests/end-to-end/api/livechat/10-departments.ts b/apps/meteor/tests/end-to-end/api/livechat/10-departments.ts index fc9af8d4580ed..6b377674bc646 100644 --- a/apps/meteor/tests/end-to-end/api/livechat/10-departments.ts +++ b/apps/meteor/tests/end-to-end/api/livechat/10-departments.ts @@ -43,6 +43,7 @@ import { IS_EE } from '../../../e2e/config/constants'; after(async () => { await deleteDepartment(departmentId); + await updateSetting('Omnichannel_enable_department_removal', false); }); it('should create a new department', async () => { @@ -102,6 +103,10 @@ import { IS_EE } from '../../../e2e/config/constants'; await updateSetting('Omnichannel_enable_department_removal', true); }); + after(async () => { + await updateSetting('Omnichannel_enable_department_removal', false); + }); + describe('GET livechat/department', () => { it('should return unauthorized error when the user does not have the necessary permission', async () => { await updatePermission('view-livechat-departments', []); @@ -453,6 +458,28 @@ import { IS_EE } from '../../../e2e/config/constants'; }); describe('DELETE livechat/department/:_id', () => { + describe('With setting disabled', () => { + before(async () => { + await updateSetting('Omnichannel_enable_department_removal', false); + }); + after(async () => { + await updateSetting('Omnichannel_enable_department_removal', true); + }); + + it('should not allow to remove a department if setting is disabled', async () => { + const department = await createDepartment(); + await request + .delete(api(`livechat/department/${department._id}`)) + .set(credentials) + .expect('Content-Type', 'application/json') + .expect(400) + .expect((res: Response) => { + expect(res.body).to.have.property('success', false); + expect(res.body).to.have.property('error', 'error-department-removal-disabled'); + }); + }); + }); + it('should return unauthorized error when the user does not have the necessary permission', async () => { await updatePermission('manage-livechat-departments', []); await updatePermission('remove-livechat-department', []); diff --git a/apps/meteor/tests/end-to-end/api/livechat/11-livechat.ts b/apps/meteor/tests/end-to-end/api/livechat/11-livechat.ts index d19b90a013e36..82c03428d78bd 100644 --- a/apps/meteor/tests/end-to-end/api/livechat/11-livechat.ts +++ b/apps/meteor/tests/end-to-end/api/livechat/11-livechat.ts @@ -29,10 +29,14 @@ import { IS_EE } from '../../../e2e/config/constants'; describe('LIVECHAT - Utils', () => { before((done) => getCredentials(done)); + before(async () => { + await updateSetting('Omnichannel_enable_department_removal', true); + }); after(async () => { await updateSetting('Livechat_enabled', true); await updateSetting('Livechat_offline_email', ''); + await updateSetting('Omnichannel_enable_department_removal', false); }); describe('livechat/offline.message', () => { diff --git a/apps/meteor/tests/end-to-end/api/livechat/14-units.ts b/apps/meteor/tests/end-to-end/api/livechat/14-units.ts index 95c24f5244860..cd891095c118b 100644 --- a/apps/meteor/tests/end-to-end/api/livechat/14-units.ts +++ b/apps/meteor/tests/end-to-end/api/livechat/14-units.ts @@ -17,6 +17,10 @@ import { IS_EE } from '../../../e2e/config/constants'; before(async () => { await updateSetting('Livechat_enabled', true); await updatePermission('manage-livechat-departments', ['livechat-manager', 'livechat-monitor', 'admin']); + await updateSetting('Omnichannel_enable_department_removal', true); + }); + after(async () => { + await updateSetting('Omnichannel_enable_department_removal', false); }); describe('[GET] livechat/units', () => { diff --git a/apps/meteor/tests/end-to-end/api/livechat/19-business-hours.ts b/apps/meteor/tests/end-to-end/api/livechat/19-business-hours.ts index 9a6543f06c724..07dce78e14c46 100644 --- a/apps/meteor/tests/end-to-end/api/livechat/19-business-hours.ts +++ b/apps/meteor/tests/end-to-end/api/livechat/19-business-hours.ts @@ -38,9 +38,14 @@ describe('LIVECHAT - business hours', () => { before(async () => { await updateSetting('Livechat_enabled', true); await updateSetting('Livechat_enable_business_hours', true); + await updateSetting('Omnichannel_enable_department_removal', true); await createAgent(); }); + after(async () => { + await updateSetting('Omnichannel_enable_department_removal', false); + }); + let defaultBhId: any; describe('[CE] livechat/business-hour', () => { after(async () => {