Skip to content

Commit 91bc319

Browse files
hjballhjball
authored
fix: prevent cross-workspace access on member and permission endpoints (#413)
1 parent d42540b commit 91bc319

File tree

2 files changed

+7
-6
lines changed

2 files changed

+7
-6
lines changed

packages/api/src/routers/member.ts

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -210,11 +210,12 @@ export const memberRouter = createTRPCRouter({
210210
input.memberPublicId,
211211
);
212212

213-
if (!member)
213+
if (!member || member.workspaceId !== workspace.id) {
214214
throw new TRPCError({
215215
message: `Member with public ID ${input.memberPublicId} not found`,
216216
code: "NOT_FOUND",
217217
});
218+
}
218219

219220
const deletedMember = await memberRepo.softDelete(ctx.db, {
220221
memberId: member.id,
@@ -720,7 +721,7 @@ export const memberRouter = createTRPCRouter({
720721
input.memberPublicId,
721722
);
722723

723-
if (!member) {
724+
if (!member || member.workspaceId !== workspace.id) {
724725
throw new TRPCError({
725726
message: "Member not found",
726727
code: "NOT_FOUND",

packages/api/src/routers/permission.ts

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -133,7 +133,7 @@ export const permissionRouter = createTRPCRouter({
133133
input.memberPublicId,
134134
);
135135

136-
if (!member) {
136+
if (!member || member.workspaceId !== workspace.id) {
137137
throw new TRPCError({
138138
message: "Member not found",
139139
code: "NOT_FOUND",
@@ -209,7 +209,7 @@ export const permissionRouter = createTRPCRouter({
209209
input.memberPublicId,
210210
);
211211

212-
if (!member) {
212+
if (!member || member.workspaceId !== workspace.id) {
213213
throw new TRPCError({
214214
message: "Member not found",
215215
code: "NOT_FOUND",
@@ -274,7 +274,7 @@ export const permissionRouter = createTRPCRouter({
274274
input.memberPublicId,
275275
);
276276

277-
if (!member) {
277+
if (!member || member.workspaceId !== workspace.id) {
278278
throw new TRPCError({
279279
message: "Member not found",
280280
code: "NOT_FOUND",
@@ -339,7 +339,7 @@ export const permissionRouter = createTRPCRouter({
339339
input.memberPublicId,
340340
);
341341

342-
if (!member) {
342+
if (!member || member.workspaceId !== workspace.id) {
343343
throw new TRPCError({
344344
message: "Member not found",
345345
code: "NOT_FOUND",

0 commit comments

Comments
 (0)