mirror of
https://github.com/n8n-io/n8n.git
synced 2024-12-25 04:34:06 -08:00
refactor: Adjust credential endpoints permissions (#4656) (no-changelog)
* refactor: Adjust credential endpoints permissions
This commit is contained in:
parent
fe0178150f
commit
4c423762d6
|
@ -26,12 +26,19 @@ export class PermissionChecker {
|
|||
// allow if all creds used in this workflow are a subset of
|
||||
// all creds accessible to users who have access to this workflow
|
||||
|
||||
const workflowSharings = await Db.collections.SharedWorkflow.find({
|
||||
relations: ['workflow'],
|
||||
where: { workflow: { id: Number(workflow.id) } },
|
||||
});
|
||||
let workflowUserIds: string[] = [];
|
||||
|
||||
const workflowUserIds = workflowSharings.map((s) => s.userId);
|
||||
if (workflow.id) {
|
||||
const workflowSharings = await Db.collections.SharedWorkflow.find({
|
||||
relations: ['workflow'],
|
||||
where: { workflow: { id: Number(workflow.id) } },
|
||||
});
|
||||
|
||||
workflowUserIds = workflowSharings.map((s) => s.userId);
|
||||
} else {
|
||||
// unsaved workflows have no id, so only get credentials for current user
|
||||
workflowUserIds = [userId];
|
||||
}
|
||||
|
||||
const credentialSharings = await Db.collections.SharedCredentials.find({
|
||||
where: { user: In(workflowUserIds) },
|
||||
|
|
|
@ -36,7 +36,7 @@ credentialsController.use('/', EECredentialsController);
|
|||
credentialsController.get(
|
||||
'/',
|
||||
ResponseHelper.send(async (req: CredentialRequest.GetAll): Promise<ICredentialsResponse[]> => {
|
||||
const credentials = await CredentialsService.getAll(req.user);
|
||||
const credentials = await CredentialsService.getAll(req.user, { roles: ['owner'] });
|
||||
|
||||
return credentials.map((credential) => {
|
||||
// eslint-disable-next-line no-param-reassign
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/* eslint-disable no-param-reassign */
|
||||
import { DeleteResult, EntityManager, In, Not } from 'typeorm';
|
||||
import { DeleteResult, EntityManager, FindOneOptions, In, Not, ObjectLiteral } from 'typeorm';
|
||||
import * as Db from '@/Db';
|
||||
import { RoleService } from '@/role/role.service';
|
||||
import { CredentialsEntity } from '@db/entities/CredentialsEntity';
|
||||
|
@ -25,6 +25,35 @@ export class EECredentialsService extends CredentialsService {
|
|||
return { ownsCredential: true, credential };
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieve the sharing that matches a user and a credential.
|
||||
*/
|
||||
static async getSharing(
|
||||
user: User,
|
||||
credentialId: number | string,
|
||||
relations: string[] = ['credentials'],
|
||||
{ allowGlobalOwner } = { allowGlobalOwner: true },
|
||||
): Promise<SharedCredentials | undefined> {
|
||||
const options: FindOneOptions<SharedCredentials> & { where: ObjectLiteral } = {
|
||||
where: {
|
||||
credentials: { id: credentialId },
|
||||
},
|
||||
};
|
||||
|
||||
// Omit user from where if the requesting user is the global
|
||||
// owner. This allows the global owner to view and delete
|
||||
// credentials they don't own.
|
||||
if (!allowGlobalOwner || user.globalRole.name !== 'owner') {
|
||||
options.where.user = { id: user.id };
|
||||
}
|
||||
|
||||
if (relations?.length) {
|
||||
options.relations = relations;
|
||||
}
|
||||
|
||||
return Db.collections.SharedCredentials.findOne(options);
|
||||
}
|
||||
|
||||
static async getSharings(
|
||||
transaction: EntityManager,
|
||||
credentialId: string,
|
||||
|
|
|
@ -31,7 +31,10 @@ export class CredentialsService {
|
|||
});
|
||||
}
|
||||
|
||||
static async getAll(user: User, options?: { relations: string[] }): Promise<ICredentialsDb[]> {
|
||||
static async getAll(
|
||||
user: User,
|
||||
options?: { relations?: string[]; roles?: string[] },
|
||||
): Promise<ICredentialsDb[]> {
|
||||
const SELECT_FIELDS: Array<keyof ICredentialsDb> = [
|
||||
'id',
|
||||
'name',
|
||||
|
@ -52,11 +55,21 @@ export class CredentialsService {
|
|||
|
||||
// if member, return credentials owned by or shared with member
|
||||
|
||||
const userSharings = await Db.collections.SharedCredentials.find({
|
||||
const whereConditions: FindManyOptions = {
|
||||
where: {
|
||||
user,
|
||||
},
|
||||
});
|
||||
};
|
||||
|
||||
if (options?.roles?.length) {
|
||||
whereConditions.where = {
|
||||
...whereConditions.where,
|
||||
role: { name: In(options.roles) },
|
||||
} as FindManyOptions;
|
||||
whereConditions.relations = ['role'];
|
||||
}
|
||||
|
||||
const userSharings = await Db.collections.SharedCredentials.find(whereConditions);
|
||||
|
||||
return Db.collections.Credentials.find({
|
||||
select: SELECT_FIELDS,
|
||||
|
@ -77,7 +90,7 @@ export class CredentialsService {
|
|||
static async getSharing(
|
||||
user: User,
|
||||
credentialId: number | string,
|
||||
relations: string[] | undefined = ['credentials'],
|
||||
relations: string[] = ['credentials'],
|
||||
{ allowGlobalOwner } = { allowGlobalOwner: true },
|
||||
): Promise<SharedCredentials | undefined> {
|
||||
const options: FindOneOptions = {
|
||||
|
@ -90,8 +103,14 @@ export class CredentialsService {
|
|||
// owner. This allows the global owner to view and delete
|
||||
// credentials they don't own.
|
||||
if (!allowGlobalOwner || user.globalRole.name !== 'owner') {
|
||||
// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
|
||||
options.where.user = { id: user.id };
|
||||
options.where = {
|
||||
...options.where,
|
||||
user: { id: user.id },
|
||||
role: { name: 'owner' },
|
||||
} as FindOneOptions;
|
||||
if (!relations.includes('role')) {
|
||||
relations.push('role');
|
||||
}
|
||||
}
|
||||
|
||||
if (relations?.length) {
|
||||
|
|
|
@ -247,13 +247,14 @@ EEWorkflowController.post(
|
|||
const workflow = new WorkflowEntity();
|
||||
Object.assign(workflow, req.body.workflowData);
|
||||
|
||||
const safeWorkflow = await EEWorkflows.preventTampering(
|
||||
workflow,
|
||||
workflow.id.toString(),
|
||||
req.user,
|
||||
);
|
||||
|
||||
req.body.workflowData.nodes = safeWorkflow.nodes;
|
||||
if (workflow.id !== undefined) {
|
||||
const safeWorkflow = await EEWorkflows.preventTampering(
|
||||
workflow,
|
||||
workflow.id.toString(),
|
||||
req.user,
|
||||
);
|
||||
req.body.workflowData.nodes = safeWorkflow.nodes;
|
||||
}
|
||||
|
||||
return EEWorkflows.runManually(req.body, req.user, GenericHelpers.getSessionId(req));
|
||||
}),
|
||||
|
|
Loading…
Reference in a new issue