Make a more composible check for checkPermission

2025-09-20 15:30:46 -06:00 · 2025-09-20 15:30:46 -06:00 · 389df8dff5
parent 2f8930e1fb
commit 389df8dff5
4 changed files with 31 additions and 15 deletions
--- a/apps/server/src/api/v2/reports/[id]/PUT.ts
+++ b/apps/server/src/api/v2/reports/[id]/PUT.ts
@ -22,21 +22,12 @@ async function updateReportHandler(
    throw new HTTPException(404, { message: 'Report not found' });
  }

-  // Get user's organization ID
-  const userOrg = await getUserOrganizationId(user.id);
-
-  if (!userOrg) {
-    throw new HTTPException(403, { message: 'User is not associated with an organization' });
-  }
-
-  const workspaceSharing = await getReportWorkspaceSharing(reportId);
-
  checkIfAssetIsEditable({
    user,
    assetId: reportId,
    assetType: 'report_file',
-    organizationId: userOrg.organizationId,
-    workspaceSharing,
+    workspaceSharing: getReportWorkspaceSharing,
+    requiredRole: 'full_access',
  });

  const { name, content, update_version = false } = request;
--- a/apps/server/src/api/v2/reports/[id]/sharing/POST.ts
+++ b/apps/server/src/api/v2/reports/[id]/sharing/POST.ts
@ -3,6 +3,7 @@ import {
  checkAssetPermission,
  findUsersByEmails,
  getReportFileById,
+  getReportWorkspaceSharing,
 } from '@buster/database/queries';
 import type { User } from '@buster/database/queries';
 import type { SharePostResponse } from '@buster/server-shared/reports';
@ -11,6 +12,7 @@ import { SharePostRequestSchema } from '@buster/server-shared/share';
 import { zValidator } from '@hono/zod-validator';
 import { Hono } from 'hono';
 import { HTTPException } from 'hono/http-exception';
+import { checkIfAssetIsEditable } from '../../../../../shared-helpers/asset-public-access';

 export async function createReportSharingHandler(
  reportId: string,
--- a/apps/server/src/api/v2/reports/[id]/sharing/PUT.ts
+++ b/apps/server/src/api/v2/reports/[id]/sharing/PUT.ts
@ -3,6 +3,7 @@ import {
  checkAssetPermission,
  findUsersByEmails,
  getReportFileById,
+  getReportWorkspaceSharing,
  getUserOrganizationId,
  updateReport,
 } from '@buster/database/queries';
@ -12,6 +13,7 @@ import { type ShareUpdateRequest, ShareUpdateRequestSchema } from '@buster/serve
 import { zValidator } from '@hono/zod-validator';
 import { Hono } from 'hono';
 import { HTTPException } from 'hono/http-exception';
+import { checkIfAssetIsEditable } from '../../../../../shared-helpers/asset-public-access';
 import { getReportHandler } from '../GET';

 export async function updateReportShareHandler(
@ -129,6 +131,15 @@ const app = new Hono().put('/', zValidator('json', ShareUpdateRequestSchema), as
    throw new HTTPException(403, { message: 'User is not associated with an organization' });
  }

+  checkIfAssetIsEditable({
+    user,
+    assetId: reportId,
+    assetType: 'report_file',
+    workspaceSharing: getReportWorkspaceSharing,
+    organizationId: userOrg.organizationId,
+    requiredRole: 'full_access',
+  });
+
  const updatedReport: ShareUpdateResponse = await updateReportShareHandler(reportId, request, {
    ...user,
    organizationId: userOrg.organizationId,
--- a/apps/server/src/shared-helpers/asset-public-access.ts
+++ b/apps/server/src/shared-helpers/asset-public-access.ts
@ -3,6 +3,7 @@ import {
  type WorkspaceSharing,
  checkPermission,
 } from '@buster/access-controls';
+import { getUserOrganizationId } from '@buster/database/queries';
 import type { AssetType } from '@buster/server-shared/assets';
 import type { ShareUpdateRequest } from '@buster/server-shared/share';
 import { HTTPException } from 'hono/http-exception';
@ -77,17 +78,28 @@ export const checkIfAssetIsEditable = async ({
  };
  assetId: string;
  assetType: AssetType;
-  organizationId: string;
-  workspaceSharing: WorkspaceSharing;
+  organizationId?: string;
+  workspaceSharing: WorkspaceSharing | ((id: string) => Promise<WorkspaceSharing>);
  requiredRole?: AssetPermissionRole;
 }) => {
+  const workspaceSharingResult =
+    typeof workspaceSharing === 'function' ? await workspaceSharing(assetId) : workspaceSharing;
+
+  // Get user's organization ID
+  const userOrgId =
+    organizationId || (await getUserOrganizationId(user.id).then((res) => res?.organizationId));
+
+  if (!userOrgId) {
+    throw new HTTPException(403, { message: 'User is not associated with an organization' });
+  }
+
  const assetPermissionResult = await checkPermission({
    userId: user.id,
    assetId,
    assetType,
    requiredRole,
-    organizationId,
-    workspaceSharing,
+    organizationId: userOrgId,
+    workspaceSharing: workspaceSharingResult,
  });

  if (!assetPermissionResult.hasAccess) {