From e5c52d2faed8d28b717db3b1aab57561faba1c04 Mon Sep 17 00:00:00 2001 From: Matheus Barbosa Silva <36537004+matheusbsilva137@users.noreply.github.com> Date: Fri, 3 May 2024 16:50:47 -0300 Subject: [PATCH] chore: Improve permissions check on cloud endpoints (#32331) --- apps/meteor/app/api/server/v1/cloud.ts | 25 ++++--------------------- 1 file changed, 4 insertions(+), 21 deletions(-) diff --git a/apps/meteor/app/api/server/v1/cloud.ts b/apps/meteor/app/api/server/v1/cloud.ts index 257612628bff..c0694deef4fa 100644 --- a/apps/meteor/app/api/server/v1/cloud.ts +++ b/apps/meteor/app/api/server/v1/cloud.ts @@ -2,7 +2,6 @@ import { check } from 'meteor/check'; import { CloudWorkspaceRegistrationError } from '../../../../lib/errors/CloudWorkspaceRegistrationError'; import { SystemLogger } from '../../../../server/lib/logger/system'; -import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission'; import { hasRoleAsync } from '../../../authorization/server/functions/hasRole'; import { getCheckoutUrl } from '../../../cloud/server/functions/getCheckoutUrl'; import { getConfirmationPoll } from '../../../cloud/server/functions/getConfirmationPoll'; @@ -20,17 +19,13 @@ import { API } from '../api'; API.v1.addRoute( 'cloud.manualRegister', - { authRequired: true }, + { authRequired: true, permissionsRequired: ['register-on-cloud'] }, { async post() { check(this.bodyParams, { cloudBlob: String, }); - if (!(await hasPermissionAsync(this.userId, 'register-on-cloud'))) { - return API.v1.unauthorized(); - } - const registrationInfo = await retrieveRegistrationStatus(); if (registrationInfo.workspaceRegistered) { @@ -48,7 +43,7 @@ API.v1.addRoute( API.v1.addRoute( 'cloud.createRegistrationIntent', - { authRequired: true }, + { authRequired: true, permissionsRequired: ['manage-cloud'] }, { async post() { check(this.bodyParams, { @@ -56,10 +51,6 @@ API.v1.addRoute( email: String, }); - if (!(await hasPermissionAsync(this.userId, 'manage-cloud'))) { - return API.v1.unauthorized(); - } - const intentData = await startRegisterWorkspaceSetupWizard(this.bodyParams.resend, this.bodyParams.email); if (intentData) { @@ -73,13 +64,9 @@ API.v1.addRoute( API.v1.addRoute( 'cloud.registerPreIntent', - { authRequired: true }, + { authRequired: true, permissionsRequired: ['manage-cloud'] }, { async post() { - if (!(await hasPermissionAsync(this.userId, 'manage-cloud'))) { - return API.v1.unauthorized(); - } - return API.v1.success({ offline: !(await registerPreIntentWorkspaceWizard()) }); }, }, @@ -87,7 +74,7 @@ API.v1.addRoute( API.v1.addRoute( 'cloud.confirmationPoll', - { authRequired: true }, + { authRequired: true, permissionsRequired: ['manage-cloud'] }, { async get() { const { deviceCode } = this.queryParams; @@ -95,10 +82,6 @@ API.v1.addRoute( deviceCode: String, }); - if (!(await hasPermissionAsync(this.userId, 'manage-cloud'))) { - return API.v1.unauthorized(); - } - if (!deviceCode) { return API.v1.failure('Invalid query'); }