chore: Prevent call license and registration status endpoints when not enough permission (#30336)

apps/meteor/client/hooks/useLicense.ts

 import type { OperationResult } from '@rocket.chat/rest-typings';
-import { useEndpoint } from '@rocket.chat/ui-contexts';
+import { useEndpoint, usePermission } from '@rocket.chat/ui-contexts';
 import type { UseQueryResult } from '@tanstack/react-query';
 import { useQuery } from '@tanstack/react-query';
 
 export const useLicense = (): UseQueryResult<OperationResult<'GET', '/v1/licenses.get'>> => {
 	const getLicenses = useEndpoint('GET', '/v1/licenses.get');
+	const canViewLicense = usePermission('view-privileged-setting');
 
-	return useQuery(['licenses', 'getLicenses'], () => getLicenses(), {
-		staleTime: Infinity,
-		keepPreviousData: true,
-	});
+	return useQuery(
+		['licenses', 'getLicenses'],
+		() => {
+			if (!canViewLicense) {
+				throw new Error('unauthorized api call');
+			}
+			return getLicenses();
+		},
+		{
+			staleTime: Infinity,
+			keepPreviousData: true,
+		},
+	);
 };

apps/meteor/client/hooks/useRegistrationStatus.ts

 import type { OperationResult } from '@rocket.chat/rest-typings';
-import { useEndpoint } from '@rocket.chat/ui-contexts';
+import { useEndpoint, usePermission } from '@rocket.chat/ui-contexts';
 import type { UseQueryResult } from '@tanstack/react-query';
 import { useQuery } from '@tanstack/react-query';
 
 export const useRegistrationStatus = (): UseQueryResult<OperationResult<'GET', '/v1/cloud.registrationStatus'>> => {
 	const getRegistrationStatus = useEndpoint('GET', '/v1/cloud.registrationStatus');
+	const canViewregistrationStatus = usePermission('manage-cloud');
 
-	return useQuery(['getRegistrationStatus'], () => getRegistrationStatus(), {
-		keepPreviousData: true,
-		staleTime: Infinity,
-	});
+	return useQuery(
+		['getRegistrationStatus'],
+		() => {
+			if (!canViewregistrationStatus) {
+				throw new Error('unauthorized api call');
+			}
+			return getRegistrationStatus();
+		},
+		{
+			keepPreviousData: true,
+			staleTime: Infinity,
+		},
+	);
 };

apps/meteor/client/sidebar/header/actions/hooks/useAdministrationItems.spec.tsx

@@ -19,12 +19,14 @@ it('should not show upgrade item if has license and not have trial', async () =>
 					workspaceRegistered: false,
 				} as any,
 			}))
+			.withPermission('view-privileged-setting')
+			.withPermission('manage-cloud')
 			.build(),
 	});
 
 	await waitFor(() => !!(result.all.length > 1));
 
-	expect(result.current).toEqual([]);
+	expect(result.current.length).toEqual(1);
 });
 
 it('should return an upgrade item if not have license or if have a trial', async () => {
@@ -42,10 +44,13 @@ it('should return an upgrade item if not have license or if have a trial', async
 					workspaceRegistered: false,
 				} as any,
 			}))
+			.withPermission('view-privileged-setting')
+			.withPermission('manage-cloud')
 			.build(),
 	});
 
-	await waitFor(() => !!result.current[0]);
+	// Workspace admin is also expected to be here
+	await waitFor(() => result.current.length > 1);
 
 	expect(result.current[0]).toEqual(
 		expect.objectContaining({