Enforce the action inside of the function

This commit is contained in:
Owen
2026-06-12 14:22:17 -07:00
parent 471ae98204
commit 5a8a48f9bf
2 changed files with 23 additions and 1 deletions

View File

@@ -612,7 +612,7 @@ authenticated.post(
verifyValidSubscription(tierMatrix.advancedPrivateResources), verifyValidSubscription(tierMatrix.advancedPrivateResources),
verifyOrgAccess, verifyOrgAccess,
verifyLimits, verifyLimits,
verifyUserHasAction(ActionsEnum.signSshKey), // verifyUserHasAction(ActionsEnum.signSshKey), // this check happens inside of the function now
// logActionAudit(ActionsEnum.signSshKey), // it is handled inside of the function below so we can include more metadata // logActionAudit(ActionsEnum.signSshKey), // it is handled inside of the function below so we can include more metadata
ssh.signSshKey ssh.signSshKey
); );

View File

@@ -20,6 +20,7 @@ import {
logsDb, logsDb,
newts, newts,
roles, roles,
roleActions,
rolePolicies, rolePolicies,
roleResources, roleResources,
roleSiteResources, roleSiteResources,
@@ -141,6 +142,27 @@ export async function signSshKey(
); );
} }
const roleActionPermission = await db
.select({ roleId: roleActions.roleId })
.from(roleActions)
.where(
and(
eq(roleActions.actionId, ActionsEnum.signSshKey),
inArray(roleActions.roleId, roleIds),
eq(roleActions.orgId, orgId)
)
)
.limit(1);
if (roleActionPermission.length === 0) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have permission perform this action"
)
);
}
const isLicensed = await isLicensedOrSubscribed( const isLicensed = await isLicensedOrSubscribed(
orgId, orgId,
tierMatrix.advancedPrivateResources tierMatrix.advancedPrivateResources