fix: enforce org-scoped access and tighten ACLs

ayham291 · ayham291 · commit 0a74132227c8 · 2025-10-13T15:56:12.000+02:00
- Require organization-scoped checks for Git provider routes
- Align router and service validation to prevent cross-org access
- add missing drizzle snapshot and journal
diff --git a/apps/dokploy/server/api/routers/application.ts b/apps/dokploy/server/api/routers/application.ts
@@ -1,5 +1,6 @@
 import {
 	addNewService,
+	canAccessProvider,
 	checkServiceAccess,
 	createApplication,
 	deleteAllMiddlewares,
@@ -403,8 +404,11 @@ export const applicationRouter = createTRPCRouter({
 		.mutation(async ({ input, ctx }) => {
 			const application = await findApplicationById(input.applicationId);
 			if (
-				application.environment.project.organizationId !==
-				ctx.session.activeOrganizationId
+				!canAccessProvider(
+					application.github?.gitProvider!,
+					ctx.session.activeOrganizationId,
+					ctx.session.userId,
+				)
 			) {
 				throw new TRPCError({
 					code: "UNAUTHORIZED",
@@ -431,8 +435,11 @@ export const applicationRouter = createTRPCRouter({
 		.mutation(async ({ input, ctx }) => {
 			const application = await findApplicationById(input.applicationId);
 			if (
-				application.environment.project.organizationId !==
-				ctx.session.activeOrganizationId
+				!canAccessProvider(
+					application.gitlab?.gitProvider!,
+					ctx.session.activeOrganizationId,
+					ctx.session.userId,
+				)
 			) {
 				throw new TRPCError({
 					code: "UNAUTHORIZED",
@@ -460,8 +467,11 @@ export const applicationRouter = createTRPCRouter({
 		.mutation(async ({ input, ctx }) => {
 			const application = await findApplicationById(input.applicationId);
 			if (
-				application.environment.project.organizationId !==
-				ctx.session.activeOrganizationId
+				!canAccessProvider(
+					application.bitbucket?.gitProvider!,
+					ctx.session.activeOrganizationId,
+					ctx.session.userId,
+				)
 			) {
 				throw new TRPCError({
 					code: "UNAUTHORIZED",
@@ -487,8 +497,11 @@ export const applicationRouter = createTRPCRouter({
 		.mutation(async ({ input, ctx }) => {
 			const application = await findApplicationById(input.applicationId);
 			if (
-				application.environment.project.organizationId !==
-				ctx.session.activeOrganizationId
+				!canAccessProvider(
+					application.gitea?.gitProvider!,
+					ctx.session.activeOrganizationId,
+					ctx.session.userId,
+				)
 			) {
 				throw new TRPCError({
 					code: "UNAUTHORIZED",
diff --git a/packages/server/src/services/application.ts b/packages/server/src/services/application.ts
@@ -105,10 +105,26 @@ export const findApplicationById = async (applicationId: string) => {
 			security: true,
 			ports: true,
 			registry: true,
-			gitlab: true,
-			github: true,
-			bitbucket: true,
-			gitea: true,
+			gitlab: {
+				with: {
+					gitProvider: true,
+				},
+			},
+			github: {
+				with: {
+					gitProvider: true,
+				},
+			},
+			bitbucket: {
+				with: {
+					gitProvider: true,
+				},
+			},
+			gitea: {
+				with: {
+					gitProvider: true,
+				},
+			},
 			server: true,
 			previewDeployments: true,
 			buildRegistry: true,
