feat(core): Move execution permission checks earlier in the lifecycle (#8677)

2024-02-21 14:47:02 +01:00
parent a573146135
commit 059d281fd1
10 changed files with 139 additions and 201 deletions
--- a/packages/cli/src/UserManagement/PermissionChecker.ts
+++ b/packages/cli/src/UserManagement/PermissionChecker.ts
@@ -22,10 +22,10 @@ export class PermissionChecker {
 	/**
 	 * Check if a user is permitted to execute a workflow.
 	 */
-	async check(workflow: Workflow, userId: string) {
+	async check(workflowId: string, userId: string, nodes: INode[]) {
 		// allow if no nodes in this workflow use creds

-		const credIdsToNodes = this.mapCredIdsToNodes(workflow);
+		const credIdsToNodes = this.mapCredIdsToNodes(nodes);

 		const workflowCredIds = Object.keys(credIdsToNodes);

@@ -46,8 +46,8 @@ export class PermissionChecker {

 		let workflowUserIds = [userId];

-		if (workflow.id && isSharingEnabled) {
-			workflowUserIds = await this.sharedWorkflowRepository.getSharedUserIds(workflow.id);
+		if (workflowId && isSharingEnabled) {
+			workflowUserIds = await this.sharedWorkflowRepository.getSharedUserIds(workflowId);
 		}

 		const accessibleCredIds = isSharingEnabled
@@ -62,7 +62,7 @@ export class PermissionChecker {
 		const inaccessibleCredId = inaccessibleCredIds[0];
 		const nodeToFlag = credIdsToNodes[inaccessibleCredId][0];

-		throw new CredentialAccessError(nodeToFlag, inaccessibleCredId, workflow);
+		throw new CredentialAccessError(nodeToFlag, inaccessibleCredId, workflowId);
 	}

 	async checkSubworkflowExecutePolicy(
@@ -129,25 +129,22 @@ export class PermissionChecker {
 		}
 	}

-	private mapCredIdsToNodes(workflow: Workflow) {
-		return Object.values(workflow.nodes).reduce<{ [credentialId: string]: INode[] }>(
-			(map, node) => {
-				if (node.disabled || !node.credentials) return map;
+	private mapCredIdsToNodes(nodes: INode[]) {
+		return nodes.reduce<{ [credentialId: string]: INode[] }>((map, node) => {
+			if (node.disabled || !node.credentials) return map;

-				Object.values(node.credentials).forEach((cred) => {
-					if (!cred.id) {
-						throw new NodeOperationError(node, 'Node uses invalid credential', {
-							description: 'Please recreate the credential.',
-							level: 'warning',
-						});
-					}
+			Object.values(node.credentials).forEach((cred) => {
+				if (!cred.id) {
+					throw new NodeOperationError(node, 'Node uses invalid credential', {
+						description: 'Please recreate the credential.',
+						level: 'warning',
+					});
+				}

-					map[cred.id] = map[cred.id] ? [...map[cred.id], node] : [node];
-				});
+				map[cred.id] = map[cred.id] ? [...map[cred.id], node] : [node];
+			});

-				return map;
-			},
-			{},
-		);
+			return map;
+		}, {});
 	}
 }