Enforce the action inside of the function

2026-06-13 19:07:18 +00:00 · 2026-06-12 14:22:17 -07:00
parent 471ae98204
commit 5a8a48f9bf
2 changed files with 23 additions and 1 deletions
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -612,7 +612,7 @@ authenticated.post(
    verifyValidSubscription(tierMatrix.advancedPrivateResources),
    verifyOrgAccess,
    verifyLimits,
-    verifyUserHasAction(ActionsEnum.signSshKey),
+    // verifyUserHasAction(ActionsEnum.signSshKey), // this check happens inside of the function now
    // logActionAudit(ActionsEnum.signSshKey), // it is handled inside of the function below so we can include more metadata
    ssh.signSshKey
 );
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -20,6 +20,7 @@ import {
    logsDb,
    newts,
    roles,
+    roleActions,
    rolePolicies,
    roleResources,
    roleSiteResources,
@@ -141,6 +142,27 @@ export async function signSshKey(
            );
        }

+        const roleActionPermission = await db
+            .select({ roleId: roleActions.roleId })
+            .from(roleActions)
+            .where(
+                and(
+                    eq(roleActions.actionId, ActionsEnum.signSshKey),
+                    inArray(roleActions.roleId, roleIds),
+                    eq(roleActions.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (roleActionPermission.length === 0) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have permission perform this action"
+                )
+            );
+        }
+
        const isLicensed = await isLicensedOrSubscribed(
            orgId,
            tierMatrix.advancedPrivateResources