chore!: Remove upsert users capability through the `users.update` endpoint (#31889)

* Do not allow unused joinDefaultChannels param in users.update * Do not allow user creation on users.update endpoint --------- Co-authored-by: Marcos Spessatto Defendi <marcos.defendi@rocket.chat>
2 years ago · 6b5b91fd14
parent 203328d60a
commit 6b5b91fd14
3 changed files with 43 additions and 5 deletions
--- a/.changeset/four-snakes-deny.md
+++ b/.changeset/four-snakes-deny.md
@ -0,0 +1,6 @@
+---
+"@rocket.chat/meteor": major
+"@rocket.chat/rest-typings": major
+---
+
+Removed upsert behavior on `users.update` endpoint (`joinDefaultChannels` param or empty `userId` are not allowed anymore)
--- a/apps/meteor/tests/end-to-end/api/users.ts
+++ b/apps/meteor/tests/end-to-end/api/users.ts
@ -1675,6 +1675,42 @@ describe('[Users]', () => {
 				.end(done);
 		});

+		it('should return an error when trying to upsert a user by sending an empty userId', () => {
+			return request
+				.post(api('users.update'))
+				.set(credentials)
+				.send({
+					userId: '',
+					data: {},
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('errorType', 'invalid-params');
+					expect(res.body).to.have.property('error', 'must NOT have fewer than 1 characters [invalid-params]');
+				});
+		});
+
+		it('should return an error when trying to use the joinDefaultChannels param, which is not intended for updates', () => {
+			return request
+				.post(api('users.update'))
+				.set(credentials)
+				.send({
+					userId: targetUser._id,
+					data: {
+						joinDefaultChannels: true,
+					},
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('errorType', 'invalid-params');
+					expect(res.body).to.have.property('error', 'must NOT have additional properties [invalid-params]');
+				});
+		});
+
 		it("should update a bot's email", (done) => {
 			void request
 				.post(api('users.update'))
--- a/packages/rest-typings/src/v1/users/UsersUpdateParamsPOST.ts
+++ b/packages/rest-typings/src/v1/users/UsersUpdateParamsPOST.ts
@ -16,7 +16,6 @@ export type UsersUpdateParamsPOST = {
 		nickname?: string;
 		statusText?: string;
 		roles?: string[];
-		joinDefaultChannels?: boolean;
 		requirePasswordChange?: boolean;
 		setRandomPassword?: boolean;
 		sendWelcomeEmail?: boolean;
@ -32,6 +31,7 @@ const UsersUpdateParamsPostSchema = {
 	properties: {
 		userId: {
 			type: 'string',
+			minLength: 1,
 		},
 		confirmRelinquish: {
 			type: 'boolean',
@ -78,10 +78,6 @@ const UsersUpdateParamsPostSchema = {
 					},
 					nullable: true,
 				},
-				joinDefaultChannels: {
-					type: 'boolean',
-					nullable: true,
-				},
 				requirePasswordChange: {
 					type: 'boolean',
 					nullable: true,