Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 12 additions & 5 deletions forge/comms/aclManager.js
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
* Other components (ie EE-specific features) can register their own additional ACLs
*/
module.exports = function (app) {
const expertRbacToolCheck = async (teamMembership, application, toolName) => {
const expertRbacToolCheck = async (teamMembership, toolName, application) => {
const applicationCheck = typeof application !== 'undefined'
const applicationHash = typeof application === 'object' ? application.hashid : application
if (toolName === 'expert:status-message') {
return true
Expand All @@ -20,8 +21,15 @@ module.exports = function (app) {
'automation:get-flows': 'project:flows:view'
}
const requiredPermission = toolAccessPermission[toolName] || 'project:flows:edit' // default to highest level of access if tool isn't in the list, to be safe
if (!app.hasPermission(teamMembership, requiredPermission, { applicationId: applicationHash })) {
return false

if (applicationCheck) {
if (!app.hasPermission(teamMembership, requiredPermission, { applicationId: applicationHash })) {
return false
}
} else {
if (!app.hasPermission(teamMembership, requiredPermission)) {
return false
}
}
return true
}
Expand Down Expand Up @@ -265,7 +273,6 @@ module.exports = function (app) {
throw ValidationError('team does not exist')
} else {
teamId = team.id
applicationHash = null // NA
}
} else {
throw ValidationError('invalid entity')
Expand Down Expand Up @@ -293,7 +300,7 @@ module.exports = function (app) {

// if this is an inflight channel messages we must validate the user has appropriate RBAC permission
if (isInflight) {
const result = await expertRbacToolCheck(teamMembership, applicationHash, inflightType)
const result = await expertRbacToolCheck(teamMembership, inflightType, applicationHash)
if (!result) {
throw ValidationError('user does not have permission to access this inflight topic')
}
Expand Down
Loading