🔒 Improve workspace API role filtering

2023-08-17 15:11:50 +02:00
parent 8810aa8ddb
commit 906845bd76
19 changed files with 288 additions and 138 deletions
--- a/apps/builder/src/features/credentials/api/createCredentials.ts
+++ b/apps/builder/src/features/credentials/api/createCredentials.ts
@@ -7,6 +7,7 @@ import { openAICredentialsSchema } from '@typebot.io/schemas/features/blocks/int
 import { smtpCredentialsSchema } from '@typebot.io/schemas/features/blocks/integrations/sendEmail'
 import { encrypt } from '@typebot.io/lib/api/encryption'
 import { z } from 'zod'
+import { isWriteWorkspaceForbidden } from '@/features/workspace/helpers/isWriteWorkspaceForbidden copy'

 const inputShape = {
  data: true,
@@ -44,11 +45,10 @@ export const createCredentials = authenticatedProcedure
    const workspace = await prisma.workspace.findFirst({
      where: {
        id: credentials.workspaceId,
-        members: { some: { userId: user.id } },
      },
-      select: { id: true },
+      select: { id: true, members: true },
    })
-    if (!workspace)
+    if (!workspace || (await isWriteWorkspaceForbidden(workspace, user)))
      throw new TRPCError({ code: 'NOT_FOUND', message: 'Workspace not found' })

    const { encryptedData, iv } = await encrypt(credentials.data)
--- a/apps/builder/src/features/credentials/api/deleteCredentials.ts
+++ b/apps/builder/src/features/credentials/api/deleteCredentials.ts
@@ -2,6 +2,7 @@ import prisma from '@/lib/prisma'
 import { authenticatedProcedure } from '@/helpers/server/trpc'
 import { TRPCError } from '@trpc/server'
 import { z } from 'zod'
+import { isWriteWorkspaceForbidden } from '@/features/workspace/helpers/isWriteWorkspaceForbidden copy'

 export const deleteCredentials = authenticatedProcedure
  .meta({
@@ -29,11 +30,10 @@ export const deleteCredentials = authenticatedProcedure
      const workspace = await prisma.workspace.findFirst({
        where: {
          id: workspaceId,
-          members: { some: { userId: user.id } },
        },
-        select: { id: true },
+        select: { id: true, members: true },
      })
-      if (!workspace)
+      if (!workspace || (await isWriteWorkspaceForbidden(workspace, user)))
        throw new TRPCError({
          code: 'NOT_FOUND',
          message: 'Workspace not found',
--- a/apps/builder/src/features/credentials/api/listCredentials.ts
+++ b/apps/builder/src/features/credentials/api/listCredentials.ts
@@ -6,6 +6,7 @@ import { googleSheetsCredentialsSchema } from '@typebot.io/schemas/features/bloc
 import { openAICredentialsSchema } from '@typebot.io/schemas/features/blocks/integrations/openai'
 import { smtpCredentialsSchema } from '@typebot.io/schemas/features/blocks/integrations/sendEmail'
 import { z } from 'zod'
+import { isReadWorkspaceFobidden } from '@/features/workspace/helpers/isReadWorkspaceFobidden'

 export const listCredentials = authenticatedProcedure
  .meta({
@@ -35,21 +36,23 @@ export const listCredentials = authenticatedProcedure
    const workspace = await prisma.workspace.findFirst({
      where: {
        id: workspaceId,
-        members: { some: { userId: user.id } },
-      },
-      select: { id: true },
-    })
-    if (!workspace)
-      throw new TRPCError({ code: 'NOT_FOUND', message: 'Workspace not found' })
-    const credentials = await prisma.credentials.findMany({
-      where: {
-        type,
-        workspaceId,
      },
      select: {
        id: true,
-        name: true,
+        members: true,
+        credentials: {
+          where: {
+            type,
+          },
+          select: {
+            id: true,
+            name: true,
+          },
+        },
      },
    })
-    return { credentials }
+    if (!workspace || (await isReadWorkspaceFobidden(workspace, user)))
+      throw new TRPCError({ code: 'NOT_FOUND', message: 'Workspace not found' })
+
+    return { credentials: workspace.credentials }
  })