From 100126e2ac550318f39e4785d91006ab3856f110 Mon Sep 17 00:00:00 2001 From: Maksim Sitnikov Date: Thu, 26 Sep 2024 17:51:20 +0300 Subject: [PATCH] Fix checking permissions for creating workbooks and collections --- dev/env/opensource/development.env | 2 +- src/configs/common.ts | 2 +- .../common/entities/collection/collection.ts | 19 ++++++++++++++++--- .../common/entities/workbook/workbook.ts | 17 ++++++++++++++--- 4 files changed, 32 insertions(+), 8 deletions(-) diff --git a/dev/env/opensource/development.env b/dev/env/opensource/development.env index 9b2424ad..6c9e068e 100644 --- a/dev/env/opensource/development.env +++ b/dev/env/opensource/development.env @@ -6,7 +6,7 @@ CONTROL_MASTER_TOKEN=development-control-master-token US_SURPRESS_DB_STATUS_LOGS=true -ZITADEL=false +ZITADEL=true ZITADEL_URI=http://localhost:8085 diff --git a/src/configs/common.ts b/src/configs/common.ts index c2bc8732..572cc8b0 100644 --- a/src/configs/common.ts +++ b/src/configs/common.ts @@ -34,7 +34,7 @@ export default { dlsEnabled: false, accessServiceEnabled: Utils.isTrueArg(Utils.getEnvVariable('ZITADEL')), - accessBindingsServiceEnabled: false, + accessBindingsServiceEnabled: Utils.isTrueArg(Utils.getEnvVariable('ZITADEL')), masterToken: Utils.getEnvTokenVariable('MASTER_TOKEN'), diff --git a/src/registry/common/entities/collection/collection.ts b/src/registry/common/entities/collection/collection.ts index ee7d1df8..dcd8747f 100644 --- a/src/registry/common/entities/collection/collection.ts +++ b/src/registry/common/entities/collection/collection.ts @@ -16,10 +16,13 @@ export const Collection: CollectionConstructor = class Collection implements Col this.model = model; } - private getAllPermissions() { + private isEditorOrAdmin() { const {zitadelUserRole: role} = this.ctx.get('info'); + return role === ZitadelUserRole.Editor || role === ZitadelUserRole.Admin; + } - const isEditorOrAdmin = role === ZitadelUserRole.Editor || role === ZitadelUserRole.Admin; + private getAllPermissions() { + const isEditorOrAdmin = this.isEditorOrAdmin(); const permissions = { listAccessBindings: true, @@ -37,7 +40,17 @@ export const Collection: CollectionConstructor = class Collection implements Col return permissions; } - async register() {} + async register() { + const isEditorOrAdmin = this.isEditorOrAdmin(); + + if (!isEditorOrAdmin) { + throw new AppError(US_ERRORS.ACCESS_SERVICE_PERMISSION_DENIED, { + code: US_ERRORS.ACCESS_SERVICE_PERMISSION_DENIED, + }); + } + + return Promise.resolve(); + } async checkPermission(args: { parentIds: string[]; diff --git a/src/registry/common/entities/workbook/workbook.ts b/src/registry/common/entities/workbook/workbook.ts index fe1de9f6..18d248ae 100644 --- a/src/registry/common/entities/workbook/workbook.ts +++ b/src/registry/common/entities/workbook/workbook.ts @@ -18,10 +18,13 @@ export const Workbook: WorkbookConstructor = class Workbook this.model = model; } - private getAllPermissions() { + private isEditorOrAdmin() { const {zitadelUserRole: role} = this.ctx.get('info'); + return role === ZitadelUserRole.Editor || role === ZitadelUserRole.Admin; + } - const isEditorOrAdmin = role === ZitadelUserRole.Editor || role === ZitadelUserRole.Admin; + private getAllPermissions() { + const isEditorOrAdmin = this.isEditorOrAdmin(); const permissions = { listAccessBindings: true, @@ -39,7 +42,15 @@ export const Workbook: WorkbookConstructor = class Workbook return permissions; } - async register(_args: {parentIds: string[]}): Promise { + async register() { + const isEditorOrAdmin = this.isEditorOrAdmin(); + + if (!isEditorOrAdmin) { + throw new AppError(US_ERRORS.ACCESS_SERVICE_PERMISSION_DENIED, { + code: US_ERRORS.ACCESS_SERVICE_PERMISSION_DENIED, + }); + } + return Promise.resolve(); }