refactor: Adjust credential endpoints permissions (#4656) (no-changelog)

* refactor: Adjust credential endpoints permissions
This commit is contained in:
Omar Ajoue 2022-11-22 08:37:52 +01:00 committed by GitHub
parent fe0178150f
commit 4c423762d6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 76 additions and 20 deletions

View file

@ -26,12 +26,19 @@ export class PermissionChecker {
// allow if all creds used in this workflow are a subset of
// all creds accessible to users who have access to this workflow
const workflowSharings = await Db.collections.SharedWorkflow.find({
relations: ['workflow'],
where: { workflow: { id: Number(workflow.id) } },
});
let workflowUserIds: string[] = [];
const workflowUserIds = workflowSharings.map((s) => s.userId);
if (workflow.id) {
const workflowSharings = await Db.collections.SharedWorkflow.find({
relations: ['workflow'],
where: { workflow: { id: Number(workflow.id) } },
});
workflowUserIds = workflowSharings.map((s) => s.userId);
} else {
// unsaved workflows have no id, so only get credentials for current user
workflowUserIds = [userId];
}
const credentialSharings = await Db.collections.SharedCredentials.find({
where: { user: In(workflowUserIds) },

View file

@ -36,7 +36,7 @@ credentialsController.use('/', EECredentialsController);
credentialsController.get(
'/',
ResponseHelper.send(async (req: CredentialRequest.GetAll): Promise<ICredentialsResponse[]> => {
const credentials = await CredentialsService.getAll(req.user);
const credentials = await CredentialsService.getAll(req.user, { roles: ['owner'] });
return credentials.map((credential) => {
// eslint-disable-next-line no-param-reassign

View file

@ -1,5 +1,5 @@
/* eslint-disable no-param-reassign */
import { DeleteResult, EntityManager, In, Not } from 'typeorm';
import { DeleteResult, EntityManager, FindOneOptions, In, Not, ObjectLiteral } from 'typeorm';
import * as Db from '@/Db';
import { RoleService } from '@/role/role.service';
import { CredentialsEntity } from '@db/entities/CredentialsEntity';
@ -25,6 +25,35 @@ export class EECredentialsService extends CredentialsService {
return { ownsCredential: true, credential };
}
/**
* Retrieve the sharing that matches a user and a credential.
*/
static async getSharing(
user: User,
credentialId: number | string,
relations: string[] = ['credentials'],
{ allowGlobalOwner } = { allowGlobalOwner: true },
): Promise<SharedCredentials | undefined> {
const options: FindOneOptions<SharedCredentials> & { where: ObjectLiteral } = {
where: {
credentials: { id: credentialId },
},
};
// Omit user from where if the requesting user is the global
// owner. This allows the global owner to view and delete
// credentials they don't own.
if (!allowGlobalOwner || user.globalRole.name !== 'owner') {
options.where.user = { id: user.id };
}
if (relations?.length) {
options.relations = relations;
}
return Db.collections.SharedCredentials.findOne(options);
}
static async getSharings(
transaction: EntityManager,
credentialId: string,

View file

@ -31,7 +31,10 @@ export class CredentialsService {
});
}
static async getAll(user: User, options?: { relations: string[] }): Promise<ICredentialsDb[]> {
static async getAll(
user: User,
options?: { relations?: string[]; roles?: string[] },
): Promise<ICredentialsDb[]> {
const SELECT_FIELDS: Array<keyof ICredentialsDb> = [
'id',
'name',
@ -52,11 +55,21 @@ export class CredentialsService {
// if member, return credentials owned by or shared with member
const userSharings = await Db.collections.SharedCredentials.find({
const whereConditions: FindManyOptions = {
where: {
user,
},
});
};
if (options?.roles?.length) {
whereConditions.where = {
...whereConditions.where,
role: { name: In(options.roles) },
} as FindManyOptions;
whereConditions.relations = ['role'];
}
const userSharings = await Db.collections.SharedCredentials.find(whereConditions);
return Db.collections.Credentials.find({
select: SELECT_FIELDS,
@ -77,7 +90,7 @@ export class CredentialsService {
static async getSharing(
user: User,
credentialId: number | string,
relations: string[] | undefined = ['credentials'],
relations: string[] = ['credentials'],
{ allowGlobalOwner } = { allowGlobalOwner: true },
): Promise<SharedCredentials | undefined> {
const options: FindOneOptions = {
@ -90,8 +103,14 @@ export class CredentialsService {
// owner. This allows the global owner to view and delete
// credentials they don't own.
if (!allowGlobalOwner || user.globalRole.name !== 'owner') {
// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
options.where.user = { id: user.id };
options.where = {
...options.where,
user: { id: user.id },
role: { name: 'owner' },
} as FindOneOptions;
if (!relations.includes('role')) {
relations.push('role');
}
}
if (relations?.length) {

View file

@ -247,13 +247,14 @@ EEWorkflowController.post(
const workflow = new WorkflowEntity();
Object.assign(workflow, req.body.workflowData);
const safeWorkflow = await EEWorkflows.preventTampering(
workflow,
workflow.id.toString(),
req.user,
);
req.body.workflowData.nodes = safeWorkflow.nodes;
if (workflow.id !== undefined) {
const safeWorkflow = await EEWorkflows.preventTampering(
workflow,
workflow.id.toString(),
req.user,
);
req.body.workflowData.nodes = safeWorkflow.nodes;
}
return EEWorkflows.runManually(req.body, req.user, GenericHelpers.getSessionId(req));
}),