fix: permissions not restricted for certain management pages / actions (#1219)

* fix: restrict parts of manage navigation to admins * fix: restrict stats cards on manage home page * fix: restrict access to amount of certain stats for manage home * fix: restrict visibility of board create button * fix: restrict access to integration pages * fix: restrict access to tools pages for admins * fix: restrict access to user and group pages * test: adjust tests to match permission changes for routes * fix: remove certain pages from spotlight without admin * fix: app management not restricted
2024-10-05 17:03:32 +02:00
parent 770768eb21
commit 1421ccc917
28 changed files with 756 additions and 322 deletions
--- a/apps/nextjs/src/app/[locale]/manage/integrations/edit/[id]/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/integrations/edit/[id]/page.tsx
@@ -6,6 +6,7 @@ import { getI18n, getScopedI18n } from "@homarr/translation/server";
 import { IntegrationAvatar } from "@homarr/ui";

 import { DynamicBreadcrumb } from "~/components/navigation/dynamic-breadcrumb";
+import { catchTrpcNotFound } from "~/errors/trpc-not-found";
 import { IntegrationAccessSettings } from "../../_components/integration-access-settings";
 import { EditIntegrationForm } from "./_integration-edit-form";

@@ -16,7 +17,7 @@ interface EditIntegrationPageProps {
 export default async function EditIntegrationPage({ params }: EditIntegrationPageProps) {
  const editT = await getScopedI18n("integration.page.edit");
  const t = await getI18n();
-  const integration = await api.integration.byId({ id: params.id });
+  const integration = await api.integration.byId({ id: params.id }).catch(catchTrpcNotFound);
  const integrationPermissions = await api.integration.getIntegrationPermissions({ id: integration.id });

  return (
--- a/apps/nextjs/src/app/[locale]/manage/integrations/new/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/integrations/new/page.tsx
@@ -1,6 +1,7 @@
 import { notFound } from "next/navigation";
 import { Container, Group, Stack, Title } from "@mantine/core";

+import { auth } from "@homarr/auth/next";
 import type { IntegrationKind } from "@homarr/definitions";
 import { getIntegrationName, integrationKinds } from "@homarr/definitions";
 import { getScopedI18n } from "@homarr/translation/server";
@@ -18,6 +19,11 @@ interface NewIntegrationPageProps {
 }

 export default async function IntegrationsNewPage({ searchParams }: NewIntegrationPageProps) {
+  const session = await auth();
+  if (!session?.user.permissions.includes("integration-create")) {
+    notFound();
+  }
+
  const result = z.enum(integrationKinds).safeParse(searchParams.kind);
  if (!result.success) {
    notFound();
--- a/apps/nextjs/src/app/[locale]/manage/integrations/page.tsx
+++ b/apps/nextjs/src/app/[locale]/manage/integrations/page.tsx
@@ -30,6 +30,7 @@ import { IconChevronDown, IconChevronUp, IconPencil } from "@tabler/icons-react"

 import type { RouterOutputs } from "@homarr/api";
 import { api } from "@homarr/api/server";
+import { auth } from "@homarr/auth/next";
 import { objectEntries } from "@homarr/common";
 import type { IntegrationKind } from "@homarr/definitions";
 import { getIntegrationName } from "@homarr/definitions";
@@ -50,8 +51,11 @@ interface IntegrationsPageProps {

 export default async function IntegrationsPage({ searchParams }: IntegrationsPageProps) {
  const integrations = await api.integration.all();
+  const session = await auth();
  const t = await getScopedI18n("integration");

+  const canCreateIntegrations = session?.user.permissions.includes("integration-create") ?? false;
+
  return (
    <ManageContainer>
      <DynamicBreadcrumb />
@@ -59,23 +63,27 @@ export default async function IntegrationsPage({ searchParams }: IntegrationsPag
        <Group justify="space-between" align="center">
          <Title>{t("page.list.title")}</Title>

-          <Box>
-            <IntegrationSelectMenu>
-              <Affix hiddenFrom="md" position={{ bottom: 20, right: 20 }}>
-                <MenuTarget>
-                  <Button rightSection={<IconChevronUp size={16} stroke={1.5} />}>{t("action.create")}</Button>
-                </MenuTarget>
-              </Affix>
-            </IntegrationSelectMenu>
-          </Box>
+          {canCreateIntegrations && (
+            <>
+              <Box>
+                <IntegrationSelectMenu>
+                  <Affix hiddenFrom="md" position={{ bottom: 20, right: 20 }}>
+                    <MenuTarget>
+                      <Button rightSection={<IconChevronUp size={16} stroke={1.5} />}>{t("action.create")}</Button>
+                    </MenuTarget>
+                  </Affix>
+                </IntegrationSelectMenu>
+              </Box>

-          <Box visibleFrom="md">
-            <IntegrationSelectMenu>
-              <MenuTarget>
-                <Button rightSection={<IconChevronDown size={16} stroke={1.5} />}>{t("action.create")}</Button>
-              </MenuTarget>
-            </IntegrationSelectMenu>
-          </Box>
+              <Box visibleFrom="md">
+                <IntegrationSelectMenu>
+                  <MenuTarget>
+                    <Button rightSection={<IconChevronDown size={16} stroke={1.5} />}>{t("action.create")}</Button>
+                  </MenuTarget>
+                </IntegrationSelectMenu>
+              </Box>
+            </>
+          )}
        </Group>

        <IntegrationList integrations={integrations} activeTab={searchParams.tab} />
@@ -102,6 +110,8 @@ interface IntegrationListProps {

 const IntegrationList = async ({ integrations, activeTab }: IntegrationListProps) => {
  const t = await getScopedI18n("integration");
+  const session = await auth();
+  const hasFullAccess = session?.user.permissions.includes("integration-full-all") ?? false;

  if (integrations.length === 0) {
    return <div>{t("page.list.empty")}</div>;
@@ -151,18 +161,21 @@ const IntegrationList = async ({ integrations, activeTab }: IntegrationListProps
                    </TableTd>
                    <TableTd>
                      <Group justify="end">
-                        <ActionIconGroup>
-                          <ActionIcon
-                            component={Link}
-                            href={`/manage/integrations/edit/${integration.id}`}
-                            variant="subtle"
-                            color="gray"
-                            aria-label={t("page.edit.title", { name: getIntegrationName(integration.kind) })}
-                          >
-                            <IconPencil size={16} stroke={1.5} />
-                          </ActionIcon>
-                          <DeleteIntegrationActionButton integration={integration} count={integrations.length} />
-                        </ActionIconGroup>
+                        {hasFullAccess ||
+                          (integration.permissions.hasFullAccess && (
+                            <ActionIconGroup>
+                              <ActionIcon
+                                component={Link}
+                                href={`/manage/integrations/edit/${integration.id}`}
+                                variant="subtle"
+                                color="gray"
+                                aria-label={t("page.edit.title", { name: getIntegrationName(integration.kind) })}
+                              >
+                                <IconPencil size={16} stroke={1.5} />
+                              </ActionIcon>
+                              <DeleteIntegrationActionButton integration={integration} count={integrations.length} />
+                            </ActionIconGroup>
+                          ))}
                      </Group>
                    </TableTd>
                  </TableTr>
@@ -177,18 +190,21 @@ const IntegrationList = async ({ integrations, activeTab }: IntegrationListProps
                  <Stack gap={0}>
                    <Group justify="space-between" align="center" wrap="nowrap">
                      <Text>{integration.name}</Text>
-                      <ActionIconGroup>
-                        <ActionIcon
-                          component={Link}
-                          href={`/manage/integrations/edit/${integration.id}`}
-                          variant="subtle"
-                          color="gray"
-                          aria-label={t("page.edit.title", { name: getIntegrationName(integration.kind) })}
-                        >
-                          <IconPencil size={16} stroke={1.5} />
-                        </ActionIcon>
-                        <DeleteIntegrationActionButton integration={integration} count={integrations.length} />
-                      </ActionIconGroup>
+                      {hasFullAccess ||
+                        (integration.permissions.hasFullAccess && (
+                          <ActionIconGroup>
+                            <ActionIcon
+                              component={Link}
+                              href={`/manage/integrations/edit/${integration.id}`}
+                              variant="subtle"
+                              color="gray"
+                              aria-label={t("page.edit.title", { name: getIntegrationName(integration.kind) })}
+                            >
+                              <IconPencil size={16} stroke={1.5} />
+                            </ActionIcon>
+                            <DeleteIntegrationActionButton integration={integration} count={integrations.length} />
+                          </ActionIconGroup>
+                        ))}
                    </Group>
                    <Anchor href={integration.url} target="_blank" rel="noreferrer" size="sm">
                      {integration.url}