[perms] Implement getTeams WEB-501 (#18039)

* [perms] Implement getTeams * fix
gitpod-io · Jun 26, 2023 · 0111756 · 0111756
1 parent d8f93f2
commit 0111756
Showing 1 changed file with 29 additions and 1 deletion.
diff --git a/components/server/src/workspace/gitpod-server-impl.ts b/components/server/src/workspace/gitpod-server-impl.ts
@@ -2748,7 +2748,35 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
     public async getTeams(ctx: TraceContext): Promise<Team[]> {
         // Note: this operation is per-user only, hence needs no resource guard
         const user = await this.checkUser("getTeams");
-        return this.teamDB.findTeamsByUser(user.id);
+        const teams = await this.teamDB.findTeamsByUser(user.id);
+
+        // We need to check each team individually against our permission system.
+        // checks are promises, which resolve to { team, check } object
+        const checks = teams.map((team) =>
+            this.authorizer.check(ReadOrganizationInfo(user.id, team.id)).then((check) => ({ team, check })),
+        );
+        const checkResults = await Promise.allSettled(checks);
+
+        const accessibleTeams = [];
+        const errors = [];
+        for (let result of checkResults) {
+            if (result.status !== "fulfilled") {
+                errors.push(result.reason);
+                continue;
+            }
+
+            const { team, check } = result.value;
+
+            if (check.permitted) {
+                accessibleTeams.push(team);
+            }
+        }
+
+        if (errors.length > 0) {
+            log.warn(`Failed to check for permissions on getTeams for at least one team`, { errors });
+        }
+
+        return accessibleTeams;
     }
 
     public async getTeam(ctx: TraceContext, teamId: string): Promise<Team> {