diff --git a/server/middlewares/verifySiteAccess.ts b/server/middlewares/verifySiteAccess.ts index e630cf0f1..c4d35a52f 100644 --- a/server/middlewares/verifySiteAccess.ts +++ b/server/middlewares/verifySiteAccess.ts @@ -71,6 +71,15 @@ export async function verifySiteAccess( ); } + if (req.userOrgId && site.orgId !== req.userOrgId) { + return next( + createHttpError( + HttpCode.FORBIDDEN, + "User does not have access to this site" + ) + ); + } + if (!req.userOrg) { // Get user's role ID in the organization const userOrgRole = await db @@ -128,10 +137,7 @@ export async function verifySiteAccess( .where( and( eq(roleSites.siteId, site.siteId), - inArray( - roleSites.roleId, - req.userOrgRoleIds! - ) + inArray(roleSites.roleId, req.userOrgRoleIds!) ) ) .limit(1) diff --git a/server/routers/external.ts b/server/routers/external.ts index 440bb5f21..db0db594a 100644 --- a/server/routers/external.ts +++ b/server/routers/external.ts @@ -561,6 +561,7 @@ authenticated.delete( authenticated.put( "/resource/:resourceId/target", verifyResourceAccess, + verifySiteAccess, verifyLimits, verifyUserHasAction(ActionsEnum.createTarget), logActionAudit(ActionsEnum.createTarget), @@ -612,6 +613,7 @@ authenticated.get( authenticated.post( "/target/:targetId", verifyTargetAccess, + verifySiteAccess, verifyLimits, verifyUserHasAction(ActionsEnum.updateTarget), logActionAudit(ActionsEnum.updateTarget), @@ -1234,7 +1236,8 @@ export const authRouter = Router(); unauthenticated.use("/auth", authRouter); authRouter.use( rateLimit({ - windowMs: config.getRawConfig().rate_limits.auth.window_minutes * 60 * 1000, + windowMs: + config.getRawConfig().rate_limits.auth.window_minutes * 60 * 1000, max: config.getRawConfig().rate_limits.auth.max_requests, keyGenerator: (req) => `authRouterGlobal:${ipKeyGenerator(req.ip || "")}:${req.path}`,