From bd621811731c0f4c9080deedb79afd4043402497 Mon Sep 17 00:00:00 2001 From: Stephen McLaughlin <44235289+Steve-Mcl@users.noreply.github.com> Date: Tue, 30 Jun 2026 19:15:17 +0100 Subject: [PATCH 1/5] Fix RBAC permission check for inflight messages --- forge/comms/aclManager.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/forge/comms/aclManager.js b/forge/comms/aclManager.js index 51e8349e45..14ecc2563f 100644 --- a/forge/comms/aclManager.js +++ b/forge/comms/aclManager.js @@ -292,7 +292,7 @@ module.exports = function (app) { } // if this is an inflight channel messages we must validate the user has appropriate RBAC permission - if (isInflight) { + if (isInflight && && ['p', 'd', 'a'].includes(entityType)) { const result = await expertRbacToolCheck(teamMembership, applicationHash, inflightType) if (!result) { throw ValidationError('user does not have permission to access this inflight topic') From 0b6a5acd2d3fcd22fa1ea743bf24b7d1bdb868f9 Mon Sep 17 00:00:00 2001 From: Stephen McLaughlin <44235289+Steve-Mcl@users.noreply.github.com> Date: Tue, 30 Jun 2026 19:19:53 +0100 Subject: [PATCH 2/5] Apply suggestion from @Steve-Mcl --- forge/comms/aclManager.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/forge/comms/aclManager.js b/forge/comms/aclManager.js index 14ecc2563f..465187e865 100644 --- a/forge/comms/aclManager.js +++ b/forge/comms/aclManager.js @@ -292,7 +292,7 @@ module.exports = function (app) { } // if this is an inflight channel messages we must validate the user has appropriate RBAC permission - if (isInflight && && ['p', 'd', 'a'].includes(entityType)) { + if (isInflight && ['p', 'd', 'a'].includes(entityType)) { const result = await expertRbacToolCheck(teamMembership, applicationHash, inflightType) if (!result) { throw ValidationError('user does not have permission to access this inflight topic') From ea770ae113af5c3d3c7f23a8f478029b4a293ae7 Mon Sep 17 00:00:00 2001 From: Steve-Mcl Date: Wed, 1 Jul 2026 10:27:01 +0100 Subject: [PATCH 3/5] Better fix for permission check in expertRbacToolCheck function --- forge/comms/aclManager.js | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/forge/comms/aclManager.js b/forge/comms/aclManager.js index 465187e865..c3cbd7f5d4 100644 --- a/forge/comms/aclManager.js +++ b/forge/comms/aclManager.js @@ -7,7 +7,8 @@ * Other components (ie EE-specific features) can register their own additional ACLs */ module.exports = function (app) { - const expertRbacToolCheck = async (teamMembership, application, toolName) => { + const expertRbacToolCheck = async (teamMembership, toolName, application) => { + const applicationCheck = typeof application !== 'undefined' const applicationHash = typeof application === 'object' ? application.hashid : application if (toolName === 'expert:status-message') { return true @@ -20,8 +21,15 @@ module.exports = function (app) { 'automation:get-flows': 'project:flows:view' } const requiredPermission = toolAccessPermission[toolName] || 'project:flows:edit' // default to highest level of access if tool isn't in the list, to be safe - if (!app.hasPermission(teamMembership, requiredPermission, { applicationId: applicationHash })) { - return false + + if (applicationCheck) { + if (!app.hasPermission(teamMembership, requiredPermission, { applicationId: applicationHash })) { + return false + } + } else { + if (!app.hasPermission(teamMembership, requiredPermission)) { + return false + } } return true } From c0750c8225ce6b7af75db6d7c07de28e19c18b73 Mon Sep 17 00:00:00 2001 From: Steve-Mcl Date: Wed, 1 Jul 2026 11:03:42 +0100 Subject: [PATCH 4/5] Allow rbac check even if application not present --- forge/comms/aclManager.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/forge/comms/aclManager.js b/forge/comms/aclManager.js index c3cbd7f5d4..d4bfe03bdd 100644 --- a/forge/comms/aclManager.js +++ b/forge/comms/aclManager.js @@ -300,8 +300,8 @@ module.exports = function (app) { } // if this is an inflight channel messages we must validate the user has appropriate RBAC permission - if (isInflight && ['p', 'd', 'a'].includes(entityType)) { - const result = await expertRbacToolCheck(teamMembership, applicationHash, inflightType) + if (isInflight) { + const result = await expertRbacToolCheck(teamMembership, inflightType, applicationHash) if (!result) { throw ValidationError('user does not have permission to access this inflight topic') } From 3f5899a9ae7e35b70f3d3da2ff89f91dfd7f00e0 Mon Sep 17 00:00:00 2001 From: Steve-Mcl Date: Wed, 1 Jul 2026 11:15:46 +0100 Subject: [PATCH 5/5] dont set applicationHash to null (needs to stay undefined) --- forge/comms/aclManager.js | 1 - 1 file changed, 1 deletion(-) diff --git a/forge/comms/aclManager.js b/forge/comms/aclManager.js index d4bfe03bdd..f75b60c756 100644 --- a/forge/comms/aclManager.js +++ b/forge/comms/aclManager.js @@ -273,7 +273,6 @@ module.exports = function (app) { throw ValidationError('team does not exist') } else { teamId = team.id - applicationHash = null // NA } } else { throw ValidationError('invalid entity')