fix: Error workflow now correctly checks for subworkflow permissions (#5390)

This commit is contained in:
Omar Ajoue 2023-02-07 17:40:36 +01:00 committed by GitHub
parent d05203db30
commit c8245b9f87
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -29,8 +29,9 @@ import { WorkflowRunner } from '@/WorkflowRunner';
import config from '@/config'; import config from '@/config';
import type { WorkflowEntity } from '@db/entities/WorkflowEntity'; import type { WorkflowEntity } from '@db/entities/WorkflowEntity';
import type { User } from '@db/entities/User'; import type { User } from '@db/entities/User';
import { getWorkflowOwner, whereClause } from '@/UserManagement/UserManagementHelper'; import { whereClause } from '@/UserManagement/UserManagementHelper';
import omit from 'lodash.omit'; import omit from 'lodash.omit';
import { PermissionChecker } from './UserManagement/PermissionChecker';
const ERROR_TRIGGER_TYPE = config.getEnv('nodes.errorTriggerType'); const ERROR_TRIGGER_TYPE = config.getEnv('nodes.errorTriggerType');
@ -94,30 +95,7 @@ export async function executeErrorWorkflow(
): Promise<void> { ): Promise<void> {
// Wrap everything in try/catch to make sure that no errors bubble up and all get caught here // Wrap everything in try/catch to make sure that no errors bubble up and all get caught here
try { try {
let workflowData: WorkflowEntity | null = null; const workflowData = await Db.collections.Workflow.findOneBy({ id: workflowId });
if (workflowId !== workflowErrorData.workflow.id) {
// To make this code easier to understand, we split it in 2 parts:
// 1) Fetch the owner of the errored workflows and then
// 2) if now instance owner, then check if the user has access to the
// triggered workflow.
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
const user = await getWorkflowOwner(workflowErrorData.workflow.id!);
if (user.globalRole.name === 'owner') {
workflowData = await Db.collections.Workflow.findOneBy({ id: workflowId });
} else {
const sharedWorkflowData = await Db.collections.SharedWorkflow.findOne({
where: { workflowId, userId: user.id },
relations: ['workflow'],
});
if (sharedWorkflowData) {
workflowData = sharedWorkflowData.workflow;
}
}
} else {
workflowData = await Db.collections.Workflow.findOneBy({ id: workflowId });
}
if (workflowData === null) { if (workflowData === null) {
// The error workflow could not be found // The error workflow could not be found
@ -129,15 +107,6 @@ export async function executeErrorWorkflow(
return; return;
} }
const user = await getWorkflowOwner(workflowId);
if (user.id !== runningUser.id) {
// The error workflow could not be found
Logger.warn(
`An attempt to execute workflow ID ${workflowId} as error workflow was blocked due to wrong permission`,
);
return;
}
const executionMode = 'error'; const executionMode = 'error';
const nodeTypes = NodeTypes(); const nodeTypes = NodeTypes();
@ -152,6 +121,20 @@ export async function executeErrorWorkflow(
settings: workflowData.settings, settings: workflowData.settings,
}); });
try {
await PermissionChecker.checkSubworkflowExecutePolicy(
workflowInstance,
runningUser.id,
workflowErrorData.workflow.id,
);
} catch (error) {
Logger.info('Error workflow execution blocked due to subworkflow settings', {
erroredWorkflowId: workflowErrorData.workflow.id,
errorWorkflowId: workflowId,
});
return;
}
let node: INode; let node: INode;
let workflowStartNode: INode | undefined; let workflowStartNode: INode | undefined;
for (const nodeName of Object.keys(workflowInstance.nodes)) { for (const nodeName of Object.keys(workflowInstance.nodes)) {
@ -204,7 +187,7 @@ export async function executeErrorWorkflow(
executionMode, executionMode,
executionData: runExecutionData, executionData: runExecutionData,
workflowData, workflowData,
userId: user.id, userId: runningUser.id,
}; };
const workflowRunner = new WorkflowRunner(); const workflowRunner = new WorkflowRunner();