RocketChat · kodiakhq · Feb 3, 2025 · Jan 28, 2025 · Jan 28, 2025 · Jan 29, 2025
diff --git a/.changeset/dry-jeans-thank.md b/.changeset/dry-jeans-thank.md
@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Fixes an issue that allowed departments to be removed via API even with setting `Omnichannel_enable_department_removal` disabled
@@ -6,6 +6,7 @@ import { Match, check } from 'meteor/check';
 import { API } from '../../../../api/server';
 import { getPaginationItems } from '../../../../api/server/helpers/getPaginationItems';
 import { hasPermissionAsync } from '../../../../authorization/server/functions/hasPermission';
+import { settings } from '../../../../settings/server';
 import {
 	findDepartments,
 	findDepartmentById,
@@ -164,6 +165,12 @@ API.v1.addRoute(
 				_id: String,
 			});
 
+			const isRemoveEnabled = settings.get<boolean>('Omnichannel_enable_department_removal');
+
+			if (!isRemoveEnabled) {
+				return API.v1.failure('error-department-removal-disabled');
+			}
+
 			await removeDepartment(this.urlParams._id);
 
 			return API.v1.success();

@@ -76,12 +76,16 @@ describe('LIVECHAT - rooms', () => {
 	before(async () => {
 		await updateSetting('Livechat_enabled', true);
 		await updateEESetting('Livechat_Require_Contact_Verification', 'never');
+		await updateSetting('Omnichannel_enable_department_removal', true);
 		await createAgent();
 		await makeAgentAvailable();
 		visitor = await createVisitor();
 
 		room = await createLivechatRoom(visitor.token);
 	});
+	after(async () => {
+		await updateSetting('Omnichannel_enable_department_removal', false);
+	});
 
 	describe('livechat/room', () => {
 		it('should fail when token is not passed as query parameter', async () => {

@@ -37,6 +37,7 @@ describe('LIVECHAT - Agents', () => {
 		await updateSetting('Livechat_enabled', true);
 		await updateSetting('Livechat_Routing_Method', 'Manual_Selection');
 		await updateEESetting('Livechat_Require_Contact_Verification', 'never');
+		await updateSetting('Omnichannel_enable_department_removal', true);
 		agent = await createAgent();
 		manager = await createManager();
 	});
@@ -55,6 +56,7 @@ describe('LIVECHAT - Agents', () => {
 	});
 
 	after(async () => {
+		await updateSetting('Omnichannel_enable_department_removal', false);
 		await deleteUser(agent2.user);
 	});
 

@@ -40,12 +40,17 @@ describe('LIVECHAT - Queue', () => {
 			updateSetting('Livechat_enabled', true),
 			updateSetting('Livechat_Routing_Method', 'Auto_Selection'),
 			updateEESetting('Livechat_Require_Contact_Verification', 'never'),
+			updateSetting('Omnichannel_enable_department_removal', true),
 
 			// this cleanup is required since previous tests left the DB dirty
 			cleanupRooms(),
 		]),
 	);
 
+	after(async () => {
+		await updateSetting('Omnichannel_enable_department_removal', false);
+	});
+
 	describe('livechat/queue', () => {
 		it('should return an "unauthorized error" when the user does not have the necessary permission', async () => {
 			await updatePermission('view-l-room', []);

@@ -43,6 +43,7 @@ import { IS_EE } from '../../../e2e/config/constants';
 
 	after(async () => {
 		await deleteDepartment(departmentId);
+		await updateSetting('Omnichannel_enable_department_removal', false);
 	});
 
 	it('should create a new department', async () => {
@@ -102,6 +103,10 @@ import { IS_EE } from '../../../e2e/config/constants';
 		await updateSetting('Omnichannel_enable_department_removal', true);
 	});
 
+	after(async () => {
+		await updateSetting('Omnichannel_enable_department_removal', false);
+	});
+
 	describe('GET livechat/department', () => {
 		it('should return unauthorized error when the user does not have the necessary permission', async () => {
 			await updatePermission('view-livechat-departments', []);
@@ -453,6 +458,28 @@ import { IS_EE } from '../../../e2e/config/constants';
 	});
 
 	describe('DELETE livechat/department/:_id', () => {
+		describe('With setting disabled', () => {
+			before(async () => {
+				await updateSetting('Omnichannel_enable_department_removal', false);
+			});
+			after(async () => {
+				await updateSetting('Omnichannel_enable_department_removal', true);
+			});
+
+			it('should not allow to remove a department if setting is disabled', async () => {
+				const department = await createDepartment();
+				await request
+					.delete(api(`livechat/department/${department._id}`))
+					.set(credentials)
+					.expect('Content-Type', 'application/json')
+					.expect(400)
+					.expect((res: Response) => {
+						expect(res.body).to.have.property('success', false);
+						expect(res.body).to.have.property('error', 'error-department-removal-disabled');
+					});
+			});
+		});
+
 		it('should return unauthorized error when the user does not have the necessary permission', async () => {
 			await updatePermission('manage-livechat-departments', []);
 			await updatePermission('remove-livechat-department', []);

@@ -29,10 +29,14 @@ import { IS_EE } from '../../../e2e/config/constants';
 
 describe('LIVECHAT - Utils', () => {
 	before((done) => getCredentials(done));
+	before(async () => {
+		await updateSetting('Omnichannel_enable_department_removal', true);
+	});
 
 	after(async () => {
 		await updateSetting('Livechat_enabled', true);
 		await updateSetting('Livechat_offline_email', '');
+		await updateSetting('Omnichannel_enable_department_removal', false);
 	});
 
 	describe('livechat/offline.message', () => {

@@ -17,6 +17,10 @@ import { IS_EE } from '../../../e2e/config/constants';
 	before(async () => {
 		await updateSetting('Livechat_enabled', true);
 		await updatePermission('manage-livechat-departments', ['livechat-manager', 'livechat-monitor', 'admin']);
+		await updateSetting('Omnichannel_enable_department_removal', true);
+	});
+	after(async () => {
+		await updateSetting('Omnichannel_enable_department_removal', false);
 	});
 
 	describe('[GET] livechat/units', () => {

@@ -38,9 +38,14 @@ describe('LIVECHAT - business hours', () => {
 	before(async () => {
 		await updateSetting('Livechat_enabled', true);
 		await updateSetting('Livechat_enable_business_hours', true);
+		await updateSetting('Omnichannel_enable_department_removal', true);
 		await createAgent();
 	});
 
+	after(async () => {
+		await updateSetting('Omnichannel_enable_department_removal', false);
+	});
+
 	let defaultBhId: any;
 	describe('[CE] livechat/business-hour', () => {
 		after(async () => {