fix(gateway): filter projects by ownership — close data privacy leak (#202)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>
This commit was merged in pull request #202.
This commit is contained in:
@@ -18,6 +18,7 @@ function createBrain() {
|
||||
},
|
||||
projects: {
|
||||
findAll: vi.fn(),
|
||||
findAllForUser: vi.fn(),
|
||||
findById: vi.fn(),
|
||||
create: vi.fn(),
|
||||
update: vi.fn(),
|
||||
@@ -67,7 +68,8 @@ describe('Resource ownership checks', () => {
|
||||
it('forbids access to another user project', async () => {
|
||||
const brain = createBrain();
|
||||
brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
|
||||
const controller = new ProjectsController(brain as never);
|
||||
const teamsService = { canAccessProject: vi.fn().mockResolvedValue(false) };
|
||||
const controller = new ProjectsController(brain as never, teamsService as never);
|
||||
|
||||
await expect(controller.findOne('project-1', { id: 'user-1' })).rejects.toBeInstanceOf(
|
||||
ForbiddenException,
|
||||
|
||||
@@ -2,6 +2,7 @@ import {
|
||||
Body,
|
||||
Controller,
|
||||
Delete,
|
||||
ForbiddenException,
|
||||
Get,
|
||||
HttpCode,
|
||||
HttpStatus,
|
||||
@@ -16,22 +17,25 @@ import type { Brain } from '@mosaic/brain';
|
||||
import { BRAIN } from '../brain/brain.tokens.js';
|
||||
import { AuthGuard } from '../auth/auth.guard.js';
|
||||
import { CurrentUser } from '../auth/current-user.decorator.js';
|
||||
import { assertOwner } from '../auth/resource-ownership.js';
|
||||
import { TeamsService } from '../workspace/teams.service.js';
|
||||
import { CreateProjectDto, UpdateProjectDto } from './projects.dto.js';
|
||||
|
||||
@Controller('api/projects')
|
||||
@UseGuards(AuthGuard)
|
||||
export class ProjectsController {
|
||||
constructor(@Inject(BRAIN) private readonly brain: Brain) {}
|
||||
constructor(
|
||||
@Inject(BRAIN) private readonly brain: Brain,
|
||||
private readonly teamsService: TeamsService,
|
||||
) {}
|
||||
|
||||
@Get()
|
||||
async list() {
|
||||
return this.brain.projects.findAll();
|
||||
async list(@CurrentUser() user: { id: string }) {
|
||||
return this.brain.projects.findAllForUser(user.id);
|
||||
}
|
||||
|
||||
@Get(':id')
|
||||
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
|
||||
return this.getOwnedProject(id, user.id);
|
||||
return this.getAccessibleProject(id, user.id);
|
||||
}
|
||||
|
||||
@Post()
|
||||
@@ -50,7 +54,7 @@ export class ProjectsController {
|
||||
@Body() dto: UpdateProjectDto,
|
||||
@CurrentUser() user: { id: string },
|
||||
) {
|
||||
await this.getOwnedProject(id, user.id);
|
||||
await this.getAccessibleProject(id, user.id);
|
||||
const project = await this.brain.projects.update(id, dto);
|
||||
if (!project) throw new NotFoundException('Project not found');
|
||||
return project;
|
||||
@@ -59,15 +63,21 @@ export class ProjectsController {
|
||||
@Delete(':id')
|
||||
@HttpCode(HttpStatus.NO_CONTENT)
|
||||
async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) {
|
||||
await this.getOwnedProject(id, user.id);
|
||||
await this.getAccessibleProject(id, user.id);
|
||||
const deleted = await this.brain.projects.remove(id);
|
||||
if (!deleted) throw new NotFoundException('Project not found');
|
||||
}
|
||||
|
||||
private async getOwnedProject(id: string, userId: string) {
|
||||
/**
|
||||
* Verify the requesting user can access the project — either as the direct
|
||||
* owner or as a member of the owning team. Throws NotFoundException when the
|
||||
* project does not exist and ForbiddenException when the user lacks access.
|
||||
*/
|
||||
private async getAccessibleProject(id: string, userId: string) {
|
||||
const project = await this.brain.projects.findById(id);
|
||||
if (!project) throw new NotFoundException('Project not found');
|
||||
assertOwner(project.ownerId, userId, 'Project');
|
||||
const canAccess = await this.teamsService.canAccessProject(userId, id);
|
||||
if (!canAccess) throw new ForbiddenException('Project does not belong to the current user');
|
||||
return project;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,7 +1,9 @@
|
||||
import { Module } from '@nestjs/common';
|
||||
import { ProjectsController } from './projects.controller.js';
|
||||
import { WorkspaceModule } from '../workspace/workspace.module.js';
|
||||
|
||||
@Module({
|
||||
imports: [WorkspaceModule],
|
||||
controllers: [ProjectsController],
|
||||
})
|
||||
export class ProjectsModule {}
|
||||
|
||||
Reference in New Issue
Block a user