Implement user permission checks in dataset deployment and user update routes

- Added permission validation to the `deploy_datasets` and `post_dataset` functions to ensure only users with workspace admin or data admin roles can execute these actions. - Enhanced error handling for permission checks, returning appropriate HTTP status codes and messages for insufficient permissions and internal errors. - Updated imports to include the new security checks module for consistency across routes. These changes improve security by enforcing role-based access control in critical dataset operations.
2025-01-16 08:42:02 -07:00 · 2025-01-16 08:42:02 -07:00 · bcf764ccd1
parent 7b110a941c
commit bcf764ccd1
3 changed files with 54 additions and 4 deletions
--- a/api/src/routes/rest/routes/datasets/deploy_datasets.rs
+++ b/api/src/routes/rest/routes/datasets/deploy_datasets.rs
@ -21,8 +21,7 @@ use crate::{
            credentials::get_data_source_credentials,
            import_dataset_columns::retrieve_dataset_columns,
            write_query_engine::write_query_engine,
-        },
-        user::user_info::get_user_organization_id,
+        }, security::checks::is_user_workspace_admin_or_data_admin, user::user_info::get_user_organization_id
    },
 };

@ -124,6 +123,20 @@ pub async fn deploy_datasets(
    Extension(user): Extension<User>,
    Json(request): Json<DeployDatasetsRequest>,
 ) -> Result<ApiResponse<DeployDatasetsResponse>, (axum::http::StatusCode, String)> {
+    match is_user_workspace_admin_or_data_admin(&user.id).await {
+        Ok(true) => (),
+        Ok(false) => {
+            return Err((
+                axum::http::StatusCode::FORBIDDEN,
+                "Insufficient permissions".to_string(),
+            ))
+        }
+        Err(e) => {
+            tracing::error!("Error checking user permissions: {:?}", e);
+            return Err((axum::http::StatusCode::INTERNAL_SERVER_ERROR, e.to_string()));
+        }
+    }
+
    let is_simple = match request {
        DeployDatasetsRequest::Full(_) => false,
        DeployDatasetsRequest::Simple { .. } => true,
--- a/api/src/routes/rest/routes/datasets/post_dataset.rs
+++ b/api/src/routes/rest/routes/datasets/post_dataset.rs
@ -2,6 +2,7 @@ use anyhow::{anyhow, Result};
 use axum::{extract::Json, Extension};
 use diesel::{ExpressionMethods, JoinOnDsl, QueryDsl};
 use diesel_async::RunQueryDsl;
+use reqwest::StatusCode;
 use serde::Deserialize;
 use uuid::Uuid;

@ -13,7 +14,10 @@ use crate::{
        schema::{data_sources, datasets, users_to_organizations},
    },
    routes::rest::ApiResponse,
-    utils::user::user_info::get_user_organization_id,
+    utils::{
+        security::checks::is_user_workspace_admin_or_data_admin,
+        user::user_info::get_user_organization_id,
+    },
 };

 #[derive(Debug, Deserialize)]
@ -26,12 +30,32 @@ pub async fn post_dataset(
    Extension(user): Extension<User>,
    Json(request): Json<PostDatasetReq>,
 ) -> Result<ApiResponse<Dataset>, (axum::http::StatusCode, String)> {
+    match is_user_workspace_admin_or_data_admin(&user.id).await {
+        Ok(true) => (),
+        Ok(false) => {
+            return Err((
+                StatusCode::FORBIDDEN,
+                "Insufficient permissions".to_string(),
+            ))
+        }
+        Err(e) => {
+            tracing::error!("Error checking user permissions: {:?}", e);
+            return Err((
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "Error checking user permissions".to_string(),
+            ));
+        }
+    }
+
    let dataset = match post_dataset_handler(&user.id, &request.data_source_id, &request.name).await
    {
        Ok(dataset) => dataset,
        Err(e) => {
            tracing::error!("Error creating dataset: {:?}", e);
-            return Err((axum::http::StatusCode::INTERNAL_SERVER_ERROR, e.to_string()));
+            return Err((
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "Error creating dataset".to_string(),
+            ));
        }
    };

--- a/api/src/routes/rest/routes/users/update_user.rs
+++ b/api/src/routes/rest/routes/users/update_user.rs
@ -8,6 +8,7 @@ use crate::database::schema::{users, users_to_organizations};
 use crate::database::{enums::UserOrganizationRole, lib::get_pg_pool};
 use crate::routes::rest::ApiResponse;
 use crate::utils::clients::sentry_utils::send_sentry_error;
+use crate::utils::security::checks::is_user_workspace_admin_or_data_admin;
 use axum::http::StatusCode;
 use diesel::{update, ExpressionMethods};
 use diesel_async::RunQueryDsl;
@ -34,6 +35,18 @@ pub async fn update_user(
    Path(id): Path<Uuid>,
    Json(body): Json<UpdateUserRequest>,
 ) -> Result<ApiResponse<()>, (StatusCode, &'static str)> {
+    match is_user_workspace_admin_or_data_admin(&user.id).await {
+        Ok(true) => (),
+        Ok(false) => return Err((StatusCode::FORBIDDEN, "Insufficient permissions")),
+        Err(e) => {
+            tracing::error!("Error checking user permissions: {:?}", e);
+            return Err((
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "Error checking user permissions",
+            ));
+        }
+    }
+
    match update_user_handler(&id, body).await {
        Ok(_) => (),
        Err(e) => {