Skip to content

Commit

Permalink
feat(api): add checks for workflow groups (#6077)
Browse files Browse the repository at this point in the history
  • Loading branch information
@richardlt
richardlt authored Feb 9, 2022
1 parent 5f5313a commit f260e1e
Show file tree
Hide file tree
Showing 3 changed files with 520 additions and 278 deletions.
28 changes: 26 additions & 2 deletions engine/api/workflow_group.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,12 +106,24 @@ func (api *API) putWorkflowGroupHandler() service.Handler {
return sdk.WrapError(sdk.ErrNotFound, "no permission found for group %q on workflow", gp.Group.Name)
}

g, err := group.LoadByName(ctx, api.mustDB(), gp.Group.Name, group.LoadOptions.WithOrganization)
g, err := group.LoadByName(ctx, api.mustDB(), gp.Group.Name, group.LoadOptions.WithOrganization, group.LoadOptions.WithMembers)
if err != nil {
return sdk.WrapError(err, "cannot load group with name %q", gp.Group.Name)
}
gp.Group = *g

if !isGroupAdmin(ctx, g) && gp.Permission > oldGp.Permission {
if isAdmin(ctx) {
trackSudo(ctx, w)
} else {
return sdk.WithStack(sdk.ErrInvalidGroupAdmin)
}
}

if group.IsDefaultGroupID(g.ID) && gp.Permission > sdk.PermissionRead {
return sdk.NewErrorFrom(sdk.ErrDefaultGroupPermission, "only read permission is allowed to default group")
}

tx, err := api.mustDB().Begin()
if err != nil {
return sdk.WrapError(err, "cannot start transaction")
Expand Down Expand Up @@ -164,12 +176,24 @@ func (api *API) postWorkflowGroupHandler() service.Handler {
}
}

g, err := group.LoadByName(ctx, api.mustDB(), gp.Group.Name, group.LoadOptions.WithOrganization)
g, err := group.LoadByName(ctx, api.mustDB(), gp.Group.Name, group.LoadOptions.WithOrganization, group.LoadOptions.WithMembers)
if err != nil {
return sdk.WrapError(err, "cannot load group with name %q", gp.Group.Name)
}
gp.Group = *g

if !isGroupAdmin(ctx, g) && gp.Permission > sdk.PermissionRead {
if isAdmin(ctx) {
trackSudo(ctx, w)
} else {
return sdk.WithStack(sdk.ErrInvalidGroupAdmin)
}
}

if group.IsDefaultGroupID(g.ID) && gp.Permission > sdk.PermissionRead {
return sdk.NewErrorFrom(sdk.ErrDefaultGroupPermission, "only read permission is allowed to default group")
}

tx, err := api.mustDB().Begin()
if err != nil {
return sdk.WrapError(err, "cannot start transaction")
Expand Down
Loading

0 comments on commit f260e1e

Please sign in to comment.