fix: allowed workspace owner only to view access request (#855)
This commit is contained in:
parent
1664fe869e
commit
f19e9b0498
|
|
@ -32,15 +32,18 @@ pub fn access_request_scope() -> Scope {
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn get_access_request_handler(
|
async fn get_access_request_handler(
|
||||||
_uuid: UserUuid,
|
uuid: UserUuid,
|
||||||
access_request_id: web::Path<Uuid>,
|
access_request_id: web::Path<Uuid>,
|
||||||
state: Data<AppState>,
|
state: Data<AppState>,
|
||||||
) -> Result<JsonAppResponse<AccessRequest>> {
|
) -> Result<JsonAppResponse<AccessRequest>> {
|
||||||
let access_request_id = access_request_id.into_inner();
|
let access_request_id = access_request_id.into_inner();
|
||||||
|
let uid = state.user_cache.get_user_uid(&uuid).await?;
|
||||||
let access_request = get_access_request(
|
let access_request = get_access_request(
|
||||||
&state.pg_pool,
|
&state.pg_pool,
|
||||||
state.collab_access_control_storage.clone(),
|
state.collab_access_control_storage.clone(),
|
||||||
access_request_id,
|
access_request_id,
|
||||||
|
*uuid,
|
||||||
|
uid,
|
||||||
)
|
)
|
||||||
.await?;
|
.await?;
|
||||||
Ok(Json(AppResponse::Ok().with_data(access_request)))
|
Ok(Json(AppResponse::Ok().with_data(access_request)))
|
||||||
|
|
|
||||||
|
|
@ -73,9 +73,17 @@ pub async fn get_access_request(
|
||||||
pg_pool: &PgPool,
|
pg_pool: &PgPool,
|
||||||
collab_storage: Arc<CollabAccessControlStorage>,
|
collab_storage: Arc<CollabAccessControlStorage>,
|
||||||
access_request_id: Uuid,
|
access_request_id: Uuid,
|
||||||
|
user_uuid: Uuid,
|
||||||
|
user_uid: i64,
|
||||||
) -> Result<AccessRequest, AppError> {
|
) -> Result<AccessRequest, AppError> {
|
||||||
let access_request_with_view_id =
|
let access_request_with_view_id =
|
||||||
select_access_request_by_request_id(pg_pool, access_request_id).await?;
|
select_access_request_by_request_id(pg_pool, access_request_id).await?;
|
||||||
|
if access_request_with_view_id.workspace.owner_uid != user_uid {
|
||||||
|
return Err(AppError::NotEnoughPermissions {
|
||||||
|
user: user_uuid.to_string(),
|
||||||
|
action: "get access request".to_string(),
|
||||||
|
});
|
||||||
|
}
|
||||||
let folder = get_latest_collab_folder(
|
let folder = get_latest_collab_folder(
|
||||||
collab_storage,
|
collab_storage,
|
||||||
GetCollabOrigin::Server,
|
GetCollabOrigin::Server,
|
||||||
|
|
|
||||||
|
|
@ -40,6 +40,13 @@ async fn access_request_test() {
|
||||||
resp.unwrap_err().code,
|
resp.unwrap_err().code,
|
||||||
ErrorCode::AccessRequestAlreadyExists
|
ErrorCode::AccessRequestAlreadyExists
|
||||||
);
|
);
|
||||||
|
// Only workspace owner should be allowed to view access requests
|
||||||
|
let resp = requester_client
|
||||||
|
.get_access_request(access_request.request_id)
|
||||||
|
.await;
|
||||||
|
assert!(resp.is_err());
|
||||||
|
assert_eq!(resp.unwrap_err().code, ErrorCode::NotEnoughPermissions);
|
||||||
|
|
||||||
let access_request_id = access_request.request_id;
|
let access_request_id = access_request.request_id;
|
||||||
let access_request_to_be_approved = owner_client
|
let access_request_to_be_approved = owner_client
|
||||||
.get_access_request(access_request_id)
|
.get_access_request(access_request_id)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue