From 5488e7ab4442cd28514117faf86e75459beed26c Mon Sep 17 00:00:00 2001
From: Matheus Barbosa Silva
 <36537004+matheusbsilva137@users.noreply.github.com>
Date: Fri, 11 Oct 2024 12:16:51 -0300
Subject: [PATCH] chore!: Remove upsert users capability through the
 `users.update` endpoint (#31889)

* Do not allow unused joinDefaultChannels param in users.update

* Do not allow user creation on users.update endpoint

---------

Co-authored-by: Marcos Spessatto Defendi <marcos.defendi@rocket.chat>
---
 .changeset/four-snakes-deny.md                |  6 ++++
 apps/meteor/tests/end-to-end/api/users.ts     | 36 +++++++++++++++++++
 .../src/v1/users/UsersUpdateParamsPOST.ts     |  6 +---
 3 files changed, 43 insertions(+), 5 deletions(-)
 create mode 100644 .changeset/four-snakes-deny.md

diff --git a/.changeset/four-snakes-deny.md b/.changeset/four-snakes-deny.md
new file mode 100644
index 0000000000000..54149bfc4fdf8
--- /dev/null
+++ b/.changeset/four-snakes-deny.md
@@ -0,0 +1,6 @@
+---
+"@rocket.chat/meteor": major
+"@rocket.chat/rest-typings": major
+---
+
+Removed upsert behavior on `users.update` endpoint (`joinDefaultChannels` param or empty `userId` are not allowed anymore)
diff --git a/apps/meteor/tests/end-to-end/api/users.ts b/apps/meteor/tests/end-to-end/api/users.ts
index afb2d5fd4b37a..2752e1168073d 100644
--- a/apps/meteor/tests/end-to-end/api/users.ts
+++ b/apps/meteor/tests/end-to-end/api/users.ts
@@ -1675,6 +1675,42 @@ describe('[Users]', () => {
 				.end(done);
 		});
 
+		it('should return an error when trying to upsert a user by sending an empty userId', () => {
+			return request
+				.post(api('users.update'))
+				.set(credentials)
+				.send({
+					userId: '',
+					data: {},
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('errorType', 'invalid-params');
+					expect(res.body).to.have.property('error', 'must NOT have fewer than 1 characters [invalid-params]');
+				});
+		});
+
+		it('should return an error when trying to use the joinDefaultChannels param, which is not intended for updates', () => {
+			return request
+				.post(api('users.update'))
+				.set(credentials)
+				.send({
+					userId: targetUser._id,
+					data: {
+						joinDefaultChannels: true,
+					},
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('errorType', 'invalid-params');
+					expect(res.body).to.have.property('error', 'must NOT have additional properties [invalid-params]');
+				});
+		});
+
 		it("should update a bot's email", (done) => {
 			void request
 				.post(api('users.update'))
diff --git a/packages/rest-typings/src/v1/users/UsersUpdateParamsPOST.ts b/packages/rest-typings/src/v1/users/UsersUpdateParamsPOST.ts
index 4814d25874dfe..a71f356662260 100644
--- a/packages/rest-typings/src/v1/users/UsersUpdateParamsPOST.ts
+++ b/packages/rest-typings/src/v1/users/UsersUpdateParamsPOST.ts
@@ -16,7 +16,6 @@ export type UsersUpdateParamsPOST = {
 		nickname?: string;
 		statusText?: string;
 		roles?: string[];
-		joinDefaultChannels?: boolean;
 		requirePasswordChange?: boolean;
 		setRandomPassword?: boolean;
 		sendWelcomeEmail?: boolean;
@@ -32,6 +31,7 @@ const UsersUpdateParamsPostSchema = {
 	properties: {
 		userId: {
 			type: 'string',
+			minLength: 1,
 		},
 		confirmRelinquish: {
 			type: 'boolean',
@@ -78,10 +78,6 @@ const UsersUpdateParamsPostSchema = {
 					},
 					nullable: true,
 				},
-				joinDefaultChannels: {
-					type: 'boolean',
-					nullable: true,
-				},
 				requirePasswordChange: {
 					type: 'boolean',
 					nullable: true,