Description:

We have a REST endpoint to take a queued inquiry that checks for view-livechat-manager permission, it doesn't allow users that doesn't have this permission to take an inquiry, since they don't would see these rooms.
On the web client, we can see queued rooms, even without this permission, and we're able to take it, since the page is calling a methodCall that don't check for this permission.

Relevant code:
https://github.com/RocketChat/Rocket.Chat/blob/develop/app/livechat/imports/server/rest/inquiries.js#L51
https://github.com/RocketChat/Rocket.Chat/blob/develop/app/livechat/client/views/app/livechatReadOnly.js#L40

Steps to reproduce:

1. Enable queue chats on omnichannel
2. Add a omnichannel agent
3. The user can't have view-livechat-manager permission
4. Create a new livechat chat
5. Take it from the queue

Expected behavior:

Consistence between the REST and method call.

Actual behavior:

If you use the REST endpoint you'll receive a 403 (non-authorized)
If you use a method call it'll allow you to take the room

Server Setup Information:

• Version of Rocket.Chat Server: 3.5.0
• Operating System:
• Deployment Method:
• Number of Running Instances:
• DB Replicaset Oplog:
• NodeJS Version:
• MongoDB Version:

Client Setup Information

• Desktop App or Browser Version:
• Operating System:

Additional context

Relevant logs: