Authorize notification before sending it

Author: VeljkoMaksimovic

notifications/lib/notifications/auth.ex

@@ -12,8 +12,14 @@ defmodule Notifications.Auth do
     authorize(user_id, org_id, "organization.notifications.manage")
   end
 
-  defp authorize(user_id, org_id, permission) do
-    req = Request.new(user_id: user_id, org_id: org_id)
+  def can_view_project?(user_id, org_id, project_id) do
+    authorize(user_id, org_id, project_id, "project.view")
+  end
+
+  defp authorize(user_id, org_id, permission), do: authorize(user_id, org_id, "", permission)
+
+  defp authorize(user_id, org_id, project_id, permission) do
+    req = Request.new(user_id: user_id, org_id: org_id, project_id: project_id)
     endpoint = Application.fetch_env!(:notifications, :rbac_endpoint)
     {:ok, channel} = GRPC.Stub.connect(endpoint)
 

notifications/lib/notifications/workers/coordinator.ex

@@ -50,7 +50,9 @@ defmodule Notifications.Workers.Coordinator do
           organization: organization
         }
 
-        rules |> Enum.each(fn rule -> process(request_id, rule, data) end)
+        rules
+        |> Enum.filter(&authorized?(&1.notification.creator_id, &1.org_id, project.metadata.id))
+        |> Enum.each(fn rule -> process(request_id, rule, data) end)
 
         Logger.info("#{request_id} #{event.pipeline_id}")
       end)
@@ -87,6 +89,15 @@ defmodule Notifications.Workers.Coordinator do
       Logger.info("#{request_id} [done]")
     end
 
+    defp authorized?(_creator_id = nil, _org_id, _project_id), do: true
+
+    defp authorized?(creator_id, org_id, project_id) do
+      case Notifications.Auth.can_view_project?(creator_id, org_id, project_id) do
+        {:ok, :authorized} -> true
+        _ -> false
+      end
+    end
+
     defp map_result_to_string(enum), do: enum |> Atom.to_string() |> String.downcase()
   end
 end

notifications/lib/notifications/workers/coordinator/api.ex

@@ -4,7 +4,6 @@ defmodule Notifications.Workers.Coordinator.Api do
     alias InternalApi.RepoProxy.DescribeRequest
 
     req = DescribeRequest.new(hook_id: hook_id)
-
     endpoint = Application.fetch_env!(:notifications, :repo_proxy_endpoint)
     {:ok, channel} = GRPC.Stub.connect(endpoint)
 
@@ -39,7 +38,6 @@ defmodule Notifications.Workers.Coordinator.Api do
     alias InternalApi.Plumber.PipelineService.Stub
 
     req = InternalApi.Plumber.DescribeRequest.new(ppl_id: pipeline_id, detailed: true)
-
     endpoint = Application.get_env(:notifications, :pipeline_endpoint)
     {:ok, channel} = GRPC.Stub.connect(endpoint)
 

notifications/lib/notifications/workers/coordinator/filter.ex

@@ -10,6 +10,7 @@ defmodule Notifications.Workers.Coordinator.Filter do
     |> with_pattern([branch, pr_branch], "branch")
     |> with_pattern(pipeline, "pipeline")
     |> with_pattern(result, "result")
+    |> preload(:notification)
     |> Repo.all()
   end