feat: Add initial scope checks via decorators (#7737)

packages/cli/src/environments/variables/variables.controller.ee.ts

@@ -1,10 +1,17 @@
-import { Container, Service } from 'typedi';
+import { Service } from 'typedi';
 
 import { VariablesRequest } from '@/requests';
-import { Authorized, Delete, Get, Licensed, Patch, Post, RestController } from '@/decorators';
+import {
+	Authorized,
+	Delete,
+	Get,
+	Licensed,
+	Patch,
+	Post,
+	RequireGlobalScope,
+	RestController,
+} from '@/decorators';
 import { VariablesService } from './variables.service.ee';
-import { Logger } from '@/Logger';
-import { UnauthorizedError } from '@/errors/response-errors/unauthorized.error';
 import { BadRequestError } from '@/errors/response-errors/bad-request.error';
 import { NotFoundError } from '@/errors/response-errors/not-found.error';
 import { VariableValidationError } from '@/errors/variable-validation.error';
@@ -14,29 +21,22 @@ import { VariableCountLimitReachedError } from '@/errors/variable-count-limit-re
 @Authorized()
 @RestController('/variables')
 export class VariablesController {
-	constructor(
-		private variablesService: VariablesService,
-		private logger: Logger,
-	) {}
+	constructor(private variablesService: VariablesService) {}
 
 	@Get('/')
+	@RequireGlobalScope('variable:list')
 	async getVariables() {
-		return Container.get(VariablesService).getAllCached();
+		return this.variablesService.getAllCached();
 	}
 
 	@Post('/')
 	@Licensed('feat:variables')
+	@RequireGlobalScope('variable:create')
 	async createVariable(req: VariablesRequest.Create) {
-		if (req.user.globalRole.name !== 'owner') {
-			this.logger.info('Attempt to update a variable blocked due to lack of permissions', {
-				userId: req.user.id,
-			});
-			throw new UnauthorizedError('Unauthorized');
-		}
 		const variable = req.body;
 		delete variable.id;
 		try {
-			return await Container.get(VariablesService).create(variable);
+			return await this.variablesService.create(variable);
 		} catch (error) {
 			if (error instanceof VariableCountLimitReachedError) {
 				throw new BadRequestError(error.message);
@@ -48,9 +48,10 @@ export class VariablesController {
 	}
 
 	@Get('/:id')
+	@RequireGlobalScope('variable:read')
 	async getVariable(req: VariablesRequest.Get) {
 		const id = req.params.id;
-		const variable = await Container.get(VariablesService).getCached(id);
+		const variable = await this.variablesService.getCached(id);
 		if (variable === null) {
 			throw new NotFoundError(`Variable with id ${req.params.id} not found`);
 		}
@@ -59,19 +60,13 @@ export class VariablesController {
 
 	@Patch('/:id')
 	@Licensed('feat:variables')
+	@RequireGlobalScope('variable:update')
 	async updateVariable(req: VariablesRequest.Update) {
 		const id = req.params.id;
-		if (req.user.globalRole.name !== 'owner') {
-			this.logger.info('Attempt to update a variable blocked due to lack of permissions', {
-				id,
-				userId: req.user.id,
-			});
-			throw new UnauthorizedError('Unauthorized');
-		}
 		const variable = req.body;
 		delete variable.id;
 		try {
-			return await Container.get(VariablesService).update(id, variable);
+			return await this.variablesService.update(id, variable);
 		} catch (error) {
 			if (error instanceof VariableCountLimitReachedError) {
 				throw new BadRequestError(error.message);
@@ -82,16 +77,10 @@ export class VariablesController {
 		}
 	}
 
-	@Delete('/:id')
+	@Delete('/:id(\\w+)')
+	@RequireGlobalScope('variable:delete')
 	async deleteVariable(req: VariablesRequest.Delete) {
 		const id = req.params.id;
-		if (req.user.globalRole.name !== 'owner') {
-			this.logger.info('Attempt to delete a variable blocked due to lack of permissions', {
-				id,
-				userId: req.user.id,
-			});
-			throw new UnauthorizedError('Unauthorized');
-		}
 		await this.variablesService.delete(id);
 
 		return true;