Ling0925
/
buster
mirror of https://github.com/buster-so/buster.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

added security check on the post and put endponts.

This commit is contained in:
dal 2025-09-12 10:32:39 -06:00
parent d77830dc13
commit cddd790761
No known key found for this signature in database
GPG Key ID: 16F4B0E1E9F61122
2 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
apps/server/src/api/v2/shortcuts/POST.ts
View File

@ -21,9 +21,12 @@ export async function createShortcutHandler(
// Check if user has permission to create workspace shortcuts
if (data.sharedWithWorkspace) {
// TODO: Check if user is admin/has permission to create workspace shortcuts
// For now, we'll allow any authenticated user to create workspace shortcuts
// This should be updated based on your permission system
// Only workspace_admin or data_admin can create workspace shortcuts
if (userOrg.role !== 'workspace_admin' && userOrg.role !== 'data_admin') {
throw new HTTPException(403, {
message: 'Only workspace admins and data admins can create workspace shortcuts',
});
}
}
// Check for duplicate name

12
apps/server/src/api/v2/shortcuts/[id]/PUT.ts
View File

@ -42,19 +42,21 @@ export async function updateShortcutHandler(
}
// For personal shortcuts, only creator can update
// For workspace shortcuts, check admin permission (TODO)
if (!existingShortcut.sharedWithWorkspace && existingShortcut.createdBy !== user.id) {
throw new HTTPException(403, {
message: 'You can only update your own shortcuts',
});
}
// For workspace shortcuts, check admin permission
if (existingShortcut.sharedWithWorkspace) {
// TODO: Check if user is admin/has permission to update workspace shortcuts
// For now, we'll allow the creator to update their workspace shortcuts
if (existingShortcut.createdBy !== user.id) {
// Only workspace_admin, data_admin, or the creator can update workspace shortcuts
const isAdmin = userOrg.role === 'workspace_admin' || userOrg.role === 'data_admin';
const isCreator = existingShortcut.createdBy === user.id;
if (!isAdmin && !isCreator) {
throw new HTTPException(403, {
message: 'Only administrators can update workspace shortcuts',
message: 'Only workspace admins, data admins, or the shortcut creator can update workspace shortcuts',
});
}
}