fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
This commit is contained in:
कारतोफ्फेलस्क्रिप्ट™
committed by
GitHub
GitHub
parent
612771e032
commit
5832d3ca46
@@ -39,24 +39,20 @@ export class PermissionChecker {
|
||||
|
||||
if (user.hasGlobalScope('workflow:execute')) return;
|
||||
|
||||
const isSharingEnabled = this.license.isSharingEnabled();
|
||||
|
||||
// allow if all creds used in this workflow are a subset of
|
||||
// all creds accessible to users who have access to this workflow
|
||||
|
||||
let workflowUserIds = [userId];
|
||||
|
||||
if (workflow.id && this.license.isSharingEnabled()) {
|
||||
const workflowSharings = await this.sharedWorkflowRepository.find({
|
||||
relations: ['workflow'],
|
||||
where: { workflowId: workflow.id },
|
||||
select: ['userId'],
|
||||
});
|
||||
workflowUserIds = workflowSharings.map((s) => s.userId);
|
||||
if (workflow.id && isSharingEnabled) {
|
||||
workflowUserIds = await this.sharedWorkflowRepository.getSharedUserIds(workflow.id);
|
||||
}
|
||||
|
||||
const credentialSharings =
|
||||
await this.sharedCredentialsRepository.findOwnedSharings(workflowUserIds);
|
||||
|
||||
const accessibleCredIds = credentialSharings.map((s) => s.credentialsId);
|
||||
const accessibleCredIds = isSharingEnabled
|
||||
? await this.sharedCredentialsRepository.getAccessibleCredentialIds(workflowUserIds)
|
||||
: await this.sharedCredentialsRepository.getOwnedCredentialIds(workflowUserIds);
|
||||
|
||||
const inaccessibleCredIds = workflowCredIds.filter((id) => !accessibleCredIds.includes(id));
|
||||
|
||||
|
||||
@@ -63,7 +63,7 @@ export class CredentialsService {
|
||||
: credentials;
|
||||
}
|
||||
|
||||
const ids = await this.sharedCredentialsRepository.getAccessibleCredentials(user.id);
|
||||
const ids = await this.sharedCredentialsRepository.getAccessibleCredentialIds([user.id]);
|
||||
|
||||
const credentials = await this.credentialsRepository.findMany(
|
||||
options.listQueryOptions,
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
import { Service } from 'typedi';
|
||||
import type { EntityManager } from 'typeorm';
|
||||
import { DataSource, In, Not, Repository } from 'typeorm';
|
||||
import { SharedCredentials } from '../entities/SharedCredentials';
|
||||
import { type CredentialSharingRole, SharedCredentials } from '../entities/SharedCredentials';
|
||||
import type { User } from '../entities/User';
|
||||
|
||||
@Service()
|
||||
@@ -36,27 +36,27 @@ export class SharedCredentialsRepository extends Repository<SharedCredentials> {
|
||||
return await this.update({ userId: Not(user.id), role: 'credential:owner' }, { user });
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the IDs of all credentials owned by or shared with a user.
|
||||
*/
|
||||
async getAccessibleCredentials(userId: string) {
|
||||
const sharings = await this.find({
|
||||
where: {
|
||||
userId,
|
||||
role: In(['credential:owner', 'credential:user']),
|
||||
},
|
||||
});
|
||||
|
||||
return sharings.map((s) => s.credentialsId);
|
||||
/** Get the IDs of all credentials owned by a user */
|
||||
async getOwnedCredentialIds(userIds: string[]) {
|
||||
return await this.getCredentialIdsByUserAndRole(userIds, ['credential:owner']);
|
||||
}
|
||||
|
||||
async findOwnedSharings(userIds: string[]) {
|
||||
return await this.find({
|
||||
/** Get the IDs of all credentials owned by or shared with a user */
|
||||
async getAccessibleCredentialIds(userIds: string[]) {
|
||||
return await this.getCredentialIdsByUserAndRole(userIds, [
|
||||
'credential:owner',
|
||||
'credential:user',
|
||||
]);
|
||||
}
|
||||
|
||||
private async getCredentialIdsByUserAndRole(userIds: string[], roles: CredentialSharingRole[]) {
|
||||
const sharings = await this.find({
|
||||
where: {
|
||||
userId: In(userIds),
|
||||
role: 'credential:owner',
|
||||
role: In(roles),
|
||||
},
|
||||
});
|
||||
return sharings.map((s) => s.credentialsId);
|
||||
}
|
||||
|
||||
async deleteByIds(transaction: EntityManager, sharedCredentialsIds: string[], user?: User) {
|
||||
|
||||
@@ -22,6 +22,15 @@ export class SharedWorkflowRepository extends Repository<SharedWorkflow> {
|
||||
return await this.exist({ where });
|
||||
}
|
||||
|
||||
/** Get the IDs of all users this workflow is shared with */
|
||||
async getSharedUserIds(workflowId: string) {
|
||||
const sharedWorkflows = await this.find({
|
||||
select: ['userId'],
|
||||
where: { workflowId },
|
||||
});
|
||||
return sharedWorkflows.map((sharing) => sharing.userId);
|
||||
}
|
||||
|
||||
async getSharedWorkflowIds(workflowIds: string[]) {
|
||||
const sharedWorkflows = await this.find({
|
||||
select: ['workflowId'],
|
||||
|
||||
Reference in New Issue
Block a user