feat(editor): 🔒️ Add verification on backend for file input deployment

2022-06-13 08:21:48 +02:00
parent 910b871556
commit 14afd2249e
7 changed files with 112 additions and 17 deletions
--- a/apps/builder/pages/api/publicTypebots.ts
+++ b/apps/builder/pages/api/publicTypebots.ts
@ -1,16 +1,29 @@
 import { withSentry } from '@sentry/nextjs'
 import prisma from 'libs/prisma'
+import { InputBlockType, PublicTypebot } from 'models'
 import { NextApiRequest, NextApiResponse } from 'next'
+import { canPublishFileInput } from 'services/api/dbRules'
 import { getAuthenticatedUser } from 'services/api/utils'
-import { methodNotAllowed, notAuthenticated } from 'utils'
+import { badRequest, methodNotAllowed, notAuthenticated } from 'utils'

 const handler = async (req: NextApiRequest, res: NextApiResponse) => {
  const user = await getAuthenticatedUser(req)
  if (!user) return notAuthenticated(res)
  try {
    if (req.method === 'POST') {
-      const data =
+      const workspaceId = req.query.workspaceId as string | undefined
+      if (!workspaceId) return badRequest(res, 'workspaceId is required')
+      const data = (
        typeof req.body === 'string' ? JSON.parse(req.body) : req.body
+      ) as PublicTypebot
+      const typebotContainsFileInput = data.groups
+        .flatMap((g) => g.blocks)
+        .some((b) => b.type === InputBlockType.FILE)
+      if (
+        typebotContainsFileInput &&
+        !(await canPublishFileInput({ userId: user.id, workspaceId, res }))
+      )
+        return
      const typebot = await prisma.publicTypebot.create({
        data: { ...data },
      })
--- a/apps/builder/pages/api/publicTypebots/[id].ts
+++ b/apps/builder/pages/api/publicTypebots/[id].ts
@ -1,16 +1,31 @@
 import { withSentry } from '@sentry/nextjs'
 import prisma from 'libs/prisma'
+import { InputBlockType, PublicTypebot } from 'models'
 import { NextApiRequest, NextApiResponse } from 'next'
+import { canPublishFileInput } from 'services/api/dbRules'
 import { getAuthenticatedUser } from 'services/api/utils'
-import { methodNotAllowed, notAuthenticated } from 'utils'
+import { badRequest, methodNotAllowed, notAuthenticated } from 'utils'

 const handler = async (req: NextApiRequest, res: NextApiResponse) => {
  const user = await getAuthenticatedUser(req)
  if (!user) return notAuthenticated(res)

-  const id = req.query.id.toString()
+  const id = req.query.id as string
+  const workspaceId = req.query.workspaceId as string | undefined
+
  if (req.method === 'PUT') {
-    const data = typeof req.body === 'string' ? JSON.parse(req.body) : req.body
+    const data = (
+      typeof req.body === 'string' ? JSON.parse(req.body) : req.body
+    ) as PublicTypebot
+    if (!workspaceId) return badRequest(res, 'workspaceId is required')
+    const typebotContainsFileInput = data.groups
+      .flatMap((g) => g.blocks)
+      .some((b) => b.type === InputBlockType.FILE)
+    if (
+      typebotContainsFileInput &&
+      !(await canPublishFileInput({ userId: user.id, workspaceId, res }))
+    )
+      return
    const typebots = await prisma.publicTypebot.update({
      where: { id },
      data,