diff --git a/forge/comms/aclManager.js b/forge/comms/aclManager.js index 51e8349e45..f75b60c756 100644 --- a/forge/comms/aclManager.js +++ b/forge/comms/aclManager.js @@ -7,7 +7,8 @@ * Other components (ie EE-specific features) can register their own additional ACLs */ module.exports = function (app) { - const expertRbacToolCheck = async (teamMembership, application, toolName) => { + const expertRbacToolCheck = async (teamMembership, toolName, application) => { + const applicationCheck = typeof application !== 'undefined' const applicationHash = typeof application === 'object' ? application.hashid : application if (toolName === 'expert:status-message') { return true @@ -20,8 +21,15 @@ module.exports = function (app) { 'automation:get-flows': 'project:flows:view' } const requiredPermission = toolAccessPermission[toolName] || 'project:flows:edit' // default to highest level of access if tool isn't in the list, to be safe - if (!app.hasPermission(teamMembership, requiredPermission, { applicationId: applicationHash })) { - return false + + if (applicationCheck) { + if (!app.hasPermission(teamMembership, requiredPermission, { applicationId: applicationHash })) { + return false + } + } else { + if (!app.hasPermission(teamMembership, requiredPermission)) { + return false + } } return true } @@ -265,7 +273,6 @@ module.exports = function (app) { throw ValidationError('team does not exist') } else { teamId = team.id - applicationHash = null // NA } } else { throw ValidationError('invalid entity') @@ -293,7 +300,7 @@ module.exports = function (app) { // if this is an inflight channel messages we must validate the user has appropriate RBAC permission if (isInflight) { - const result = await expertRbacToolCheck(teamMembership, applicationHash, inflightType) + const result = await expertRbacToolCheck(teamMembership, inflightType, applicationHash) if (!result) { throw ValidationError('user does not have permission to access this inflight topic') }