connectors: enforce VIEWER role restriction on connector/tool creation#238
Merged
Merged
Conversation
Connector/tool creation and import endpoints only ran JWT auth and license checks, while update/delete paths reject VIEWER users via assertCanWrite/assertCanWriteConnector. This made the read-only role inconsistent: viewers could create connectors and MCP tools. Add an assertCanCreate helper and apply the VIEWER check to: - POST /api/connectors - POST /api/connectors/import-all - POST /api/adapters/:slug/import Add regression tests proving VIEWER gets 403 and EDITOR/ADMIN succeed. https://claude.ai/code/session_01XJiM3Vsk1D98hbYaDiRJJp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Connector/tool creation and import endpoints only ran JWT auth and license checks, while update/delete paths reject
VIEWERusers viaassertCanWrite/assertCanWriteConnector. This left the read-only role inconsistent: viewers could create connectors and MCP tools.This PR closes that gap by applying the existing
VIEWERrestriction to all creation/import paths:assertCanCreatehelper onConnectorsControllerand call it fromcreate(POST /api/connectors) andimportAll(POST /api/connectors/import-all).VIEWERcheck toAdaptersController.importAdapter(POST /api/adapters/:slug/import).Test plan
connectors.controller.spec.tsandadapters.controller.spec.ts— 9 tests assertingVIEWERreceivesForbiddenExceptionandEDITOR/ADMINstill succeed on all three endpoints.eslintandtsc --noEmitclean.https://claude.ai/code/session_01XJiM3Vsk1D98hbYaDiRJJp
Generated by Claude Code