Fix permissions checks

istarkov · istarkov · commit e8d3a6b60f7f · 2024-12-07T07:22:20.000Z
diff --git a/packages/authorization-token/src/db/authorization-token.ts b/packages/authorization-token/src/db/authorization-token.ts
@@ -13,6 +13,7 @@ const applyTokenPermissions = (
 ): AuthorizationToken => {
   let result = token;
 
+  // @todo: fix this on SQL level
   if (token.relation !== "viewers") {
     result = {
       ...result,
@@ -21,20 +22,30 @@ const applyTokenPermissions = (
     };
   }
 
+  // @todo: fix this on SQL level
   if (token.relation === "viewers") {
     result = {
       ...result,
       canPublish: false,
     };
   }
 
+  // @todo: fix this on SQL level
   if (token.relation === "builders") {
     result = {
       ...result,
       canPublish: false,
     };
   }
 
+  // @todo: fix this on SQL level
+  if (token.relation === "administrators") {
+    result = {
+      ...result,
+      canPublish: true,
+    };
+  }
+
   return result;
 };
 
diff --git a/packages/project-build/package.json b/packages/project-build/package.json
@@ -24,6 +24,7 @@
     "@webstudio-is/postrest": "workspace:*",
     "@webstudio-is/sdk": "workspace:*",
     "@webstudio-is/trpc-interface": "workspace:*",
+    "@webstudio-is/authorization-token": "workspace:*",
     "nanoid": "^5.0.8",
     "zod": "^3.22.4"
   },
diff --git a/packages/project-build/src/db/build.ts b/packages/project-build/src/db/build.ts
@@ -7,6 +7,7 @@ import {
   authorizeProject,
   type AppContext,
 } from "@webstudio-is/trpc-interface/index.server";
+import { db as authDb } from "@webstudio-is/authorization-token/index.server";
 import {
   type Deployment,
   type Resource,
@@ -299,14 +300,31 @@ export const createProductionBuild = async (
   context: AppContext
 ) => {
   const canBuild = await authorizeProject.hasProjectPermit(
-    { projectId: props.projectId, permit: "build" },
+    { projectId: props.projectId, permit: "edit" },
     context
   );
 
   if (canBuild === false) {
     throw new AuthorizationError("You don't have access to build this project");
   }
 
+  // Get token permissions
+  if (context.authorization.type === "token") {
+    const permissions = await authDb.getTokenPermissions(
+      {
+        projectId: props.projectId,
+        token: context.authorization.authToken,
+      },
+      context
+    );
+
+    if (!permissions.canPublish) {
+      throw new AuthorizationError(
+        "The token does not have permission to build this project."
+      );
+    }
+  }
+
   const build = await context.postgrest.client.rpc("create_production_build", {
     project_id: props.projectId,
     deployment: JSON.stringify(props.deployment),
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
