refactor: Forbid access to workflows when enterprise features is unavailable (#4635) (no-changelog)
* refactor: Forbid access to workflows when enterprise features is unavailable
This commit is contained in:
Omar Ajoue
GitHub
@@ -14,7 +14,6 @@ import { SharedWorkflow } from '@db/entities/SharedWorkflow';
|
||||
import { LoggerProxy } from 'n8n-workflow';
|
||||
import * as TagHelpers from '@/TagHelpers';
|
||||
import { EECredentialsService as EECredentials } from '../credentials/credentials.service.ee';
|
||||
import { WorkflowsService } from './workflows.services';
|
||||
import { IExecutionPushResponse } from '@/Interfaces';
|
||||
import * as GenericHelpers from '@/GenericHelpers';
|
||||
|
||||
@@ -197,7 +196,7 @@ EEWorkflowController.post(
|
||||
EEWorkflowController.get(
|
||||
'/',
|
||||
ResponseHelper.send(async (req: WorkflowRequest.GetAll) => {
|
||||
const workflows = (await WorkflowsService.getMany(
|
||||
const workflows = (await EEWorkflows.getMany(
|
||||
req.user,
|
||||
req.query.filter,
|
||||
)) as unknown as WorkflowEntity[];
|
||||
@@ -222,7 +221,7 @@ EEWorkflowController.patch(
|
||||
|
||||
const safeWorkflow = await EEWorkflows.preventTampering(updateData, workflowId, req.user);
|
||||
|
||||
const updatedWorkflow = await WorkflowsService.update(
|
||||
const updatedWorkflow = await EEWorkflows.update(
|
||||
req.user,
|
||||
safeWorkflow,
|
||||
workflowId,
|
||||
@@ -256,6 +255,6 @@ EEWorkflowController.post(
|
||||
|
||||
req.body.workflowData.nodes = safeWorkflow.nodes;
|
||||
|
||||
return WorkflowsService.runManually(req.body, req.user, GenericHelpers.getSessionId(req));
|
||||
return EEWorkflows.runManually(req.body, req.user, GenericHelpers.getSessionId(req));
|
||||
}),
|
||||
);
|
||||
|
||||
@@ -9,7 +9,6 @@ import * as Db from '@/Db';
|
||||
import * as GenericHelpers from '@/GenericHelpers';
|
||||
import * as ResponseHelper from '@/ResponseHelper';
|
||||
import * as WorkflowHelpers from '@/WorkflowHelpers';
|
||||
import { whereClause } from '@/CredentialsHelper';
|
||||
import { IWorkflowResponse, IExecutionPushResponse } from '@/Interfaces';
|
||||
import config from '@/config';
|
||||
import * as TagHelpers from '@/TagHelpers';
|
||||
@@ -23,6 +22,7 @@ import type { WorkflowRequest } from '@/requests';
|
||||
import { isBelowOnboardingThreshold } from '@/WorkflowHelpers';
|
||||
import { EEWorkflowController } from './workflows.controller.ee';
|
||||
import { WorkflowsService } from './workflows.services';
|
||||
import { whereClause } from '@/UserManagement/UserManagementHelper';
|
||||
|
||||
export const workflowsController = express.Router();
|
||||
|
||||
@@ -201,7 +201,7 @@ workflowsController.get(
|
||||
ResponseHelper.send(async (req: WorkflowRequest.Get) => {
|
||||
const { id: workflowId } = req.params;
|
||||
|
||||
let relations = ['workflow', 'workflow.tags'];
|
||||
let relations = ['workflow', 'workflow.tags', 'role'];
|
||||
|
||||
if (config.getEnv('workflowTagsDisabled')) {
|
||||
relations = relations.filter((relation) => relation !== 'workflow.tags');
|
||||
@@ -213,6 +213,7 @@ workflowsController.get(
|
||||
user: req.user,
|
||||
entityType: 'workflow',
|
||||
entityId: workflowId,
|
||||
roles: ['owner'],
|
||||
}),
|
||||
});
|
||||
|
||||
@@ -252,7 +253,14 @@ workflowsController.patch(
|
||||
const { tags, ...rest } = req.body;
|
||||
Object.assign(updateData, rest);
|
||||
|
||||
const updatedWorkflow = await WorkflowsService.update(req.user, updateData, workflowId, tags);
|
||||
const updatedWorkflow = await WorkflowsService.update(
|
||||
req.user,
|
||||
updateData,
|
||||
workflowId,
|
||||
tags,
|
||||
false,
|
||||
['owner'],
|
||||
);
|
||||
|
||||
const { id, ...remainder } = updatedWorkflow;
|
||||
|
||||
@@ -275,11 +283,12 @@ workflowsController.delete(
|
||||
await externalHooks.run('workflow.delete', [workflowId]);
|
||||
|
||||
const shared = await Db.collections.SharedWorkflow.findOne({
|
||||
relations: ['workflow'],
|
||||
relations: ['workflow', 'role'],
|
||||
where: whereClause({
|
||||
user: req.user,
|
||||
entityType: 'workflow',
|
||||
entityId: workflowId,
|
||||
roles: ['owner'],
|
||||
}),
|
||||
});
|
||||
|
||||
|
||||
@@ -11,8 +11,14 @@ import { UserService } from '@/user/user.service';
|
||||
import { WorkflowsService } from './workflows.services';
|
||||
import type { WorkflowWithSharingsAndCredentials } from './workflows.types';
|
||||
import { EECredentialsService as EECredentials } from '@/credentials/credentials.service.ee';
|
||||
import { getSharedWorkflowIds } from '@/WorkflowHelpers';
|
||||
|
||||
export class EEWorkflowsService extends WorkflowsService {
|
||||
static async getWorkflowIdsForUser(user: User) {
|
||||
// Get all workflows regardless of role
|
||||
return getSharedWorkflowIds(user);
|
||||
}
|
||||
|
||||
static async isOwned(
|
||||
user: User,
|
||||
workflowId: string,
|
||||
|
||||
@@ -6,7 +6,6 @@ import * as Db from '@/Db';
|
||||
import { InternalHooksManager } from '@/InternalHooksManager';
|
||||
import * as ResponseHelper from '@/ResponseHelper';
|
||||
import * as WorkflowHelpers from '@/WorkflowHelpers';
|
||||
import { whereClause } from '@/CredentialsHelper';
|
||||
import config from '@/config';
|
||||
import { SharedWorkflow } from '@db/entities/SharedWorkflow';
|
||||
import { User } from '@db/entities/User';
|
||||
@@ -21,6 +20,7 @@ import { WorkflowRunner } from '@/WorkflowRunner';
|
||||
import * as WorkflowExecuteAdditionalData from '@/WorkflowExecuteAdditionalData';
|
||||
import * as TestWebhooks from '@/TestWebhooks';
|
||||
import { getSharedWorkflowIds } from '@/WorkflowHelpers';
|
||||
import { whereClause } from '@/UserManagement/UserManagementHelper';
|
||||
|
||||
export interface IGetWorkflowsQueryFilter {
|
||||
id?: number | string;
|
||||
@@ -93,8 +93,13 @@ export class WorkflowsService {
|
||||
return Db.collections.Workflow.findOne(workflow, options);
|
||||
}
|
||||
|
||||
// Warning: this function is overriden by EE to disregard role list.
|
||||
static async getWorkflowIdsForUser(user: User, roles?: string[]) {
|
||||
return getSharedWorkflowIds(user, roles);
|
||||
}
|
||||
|
||||
static async getMany(user: User, rawFilter: string) {
|
||||
const sharedWorkflowIds = await getSharedWorkflowIds(user);
|
||||
const sharedWorkflowIds = await this.getWorkflowIdsForUser(user, ['owner']);
|
||||
if (sharedWorkflowIds.length === 0) {
|
||||
// return early since without shared workflows there can be no hits
|
||||
// (note: getSharedWorkflowIds() returns _all_ workflow ids for global owners)
|
||||
@@ -172,15 +177,16 @@ export class WorkflowsService {
|
||||
workflow: WorkflowEntity,
|
||||
workflowId: string,
|
||||
tags?: string[],
|
||||
// eslint-disable-next-line @typescript-eslint/no-unused-vars
|
||||
forceSave?: boolean,
|
||||
roles?: string[],
|
||||
): Promise<WorkflowEntity> {
|
||||
const shared = await Db.collections.SharedWorkflow.findOne({
|
||||
relations: ['workflow'],
|
||||
relations: ['workflow', 'role'],
|
||||
where: whereClause({
|
||||
user,
|
||||
entityType: 'workflow',
|
||||
entityId: workflowId,
|
||||
roles,
|
||||
}),
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user