From 32705b304814b26e2ac91a66cb880bd54204013c Mon Sep 17 00:00:00 2001
From: Wells Bunker <wells@buster.so>
Date: Thu, 25 Sep 2025 17:43:29 -0600
Subject: [PATCH] fixing public access for metric_files/data

---
 .../metric_files/[id]/data/get-metric-data.ts | 50 +++++++------------
 packages/access-controls/src/assets/checks.ts | 10 ++--
 2 files changed, 23 insertions(+), 37 deletions(-)

diff --git a/apps/server/src/api/v2/metric_files/[id]/data/get-metric-data.ts b/apps/server/src/api/v2/metric_files/[id]/data/get-metric-data.ts
index 6dd2b8e25..98b3042ad 100644
--- a/apps/server/src/api/v2/metric_files/[id]/data/get-metric-data.ts
+++ b/apps/server/src/api/v2/metric_files/[id]/data/get-metric-data.ts
@@ -38,17 +38,6 @@ export async function getMetricDataHandler(
   versionNumber?: number,
   reportFileId?: string
 ): Promise<MetricDataResponse> {
-  // Get user's organization
-  const userOrg = await getUserOrganizationId(user.id);
-
-  if (!userOrg) {
-    throw new HTTPException(403, {
-      message: 'You must be part of an organization to access metric data',
-    });
-  }
-
-  const { organizationId } = userOrg;
-
   // Retrieve metric definition from database with data source info
   const metric = await getMetricWithDataSource({ metricId, versionNumber });
 
@@ -58,13 +47,6 @@ export async function getMetricDataHandler(
     });
   }
 
-  // Verify metric belongs to user's organization
-  if (metric.organizationId !== organizationId) {
-    throw new HTTPException(403, {
-      message: 'You do not have permission to view this metric',
-    });
-  }
-
   // Check if user has permission to view this metric file
   // hasAssetPermission internally handles:
   // 1. Direct permissions
@@ -76,7 +58,7 @@ export async function getMetricDataHandler(
     assetId: metricId,
     assetType: 'metric_file',
     requiredRole: 'can_view',
-    organizationId,
+    organizationId: metric.organizationId,
     workspaceSharing: metric.workspaceSharing ?? 'none',
     publiclyAccessible: metric.publiclyAccessible,
     publicExpiryDate: metric.publicExpiryDate ?? undefined,
@@ -98,13 +80,13 @@ export async function getMetricDataHandler(
     console.info('Checking R2 cache for metric data', {
       metricId,
       reportFileId,
-      organizationId,
+      organizationId: metric.organizationId,
       version: resolvedVersion,
     });
 
     try {
       const cachedData = await getCachedMetricData(
-        organizationId,
+        metric.organizationId,
         metricId,
         reportFileId,
         resolvedVersion
@@ -184,22 +166,26 @@ export async function getMetricDataHandler(
       console.info('Writing metric data to cache', {
         metricId,
         reportFileId,
-        organizationId,
+        organizationId: metric.organizationId,
         version: resolvedVersion,
         rowCount: trimmedData.length,
       });
 
       // Fire and forget - don't wait for cache write
-      setCachedMetricData(organizationId, metricId, reportFileId, response, resolvedVersion).catch(
-        (error) => {
-          console.error('Failed to cache metric data', {
-            metricId,
-            reportFileId,
-            version: resolvedVersion,
-            error: error instanceof Error ? error.message : 'Unknown error',
-          });
-        }
-      );
+      setCachedMetricData(
+        metric.organizationId,
+        metricId,
+        reportFileId,
+        response,
+        resolvedVersion
+      ).catch((error) => {
+        console.error('Failed to cache metric data', {
+          metricId,
+          reportFileId,
+          version: resolvedVersion,
+          error: error instanceof Error ? error.message : 'Unknown error',
+        });
+      });
     }
 
     return response;
diff --git a/packages/access-controls/src/assets/checks.ts b/packages/access-controls/src/assets/checks.ts
index ff373dfd4..e0725a9dd 100644
--- a/packages/access-controls/src/assets/checks.ts
+++ b/packages/access-controls/src/assets/checks.ts
@@ -48,11 +48,9 @@ export async function checkPermission(check: AssetPermissionCheck): Promise<Asse
   } = check;
 
   // Check cache first (only for single role checks)
-  if (!Array.isArray(requiredRole)) {
-    const cached = getCachedPermission(userId, assetId, assetType, requiredRole);
-    if (cached !== undefined) {
-      return cached;
-    }
+  const cached = getCachedPermission(userId, assetId, assetType, requiredRole);
+  if (cached !== undefined) {
+    return cached;
   }
 
   // Get user's organization memberships
@@ -112,6 +110,8 @@ export async function checkPermission(check: AssetPermissionCheck): Promise<Asse
     }
   }
 
+  console.info('publiclyAccessible', publiclyAccessible);
+
   if (publiclyAccessible) {
     const hasPublicAccessCheck = hasPublicAccess(
       publiclyAccessible,