fix: permissions not restricted for certain management pages / actions (#1219)

* fix: restrict parts of manage navigation to admins * fix: restrict stats cards on manage home page * fix: restrict access to amount of certain stats for manage home * fix: restrict visibility of board create button * fix: restrict access to integration pages * fix: restrict access to tools pages for admins * fix: restrict access to user and group pages * test: adjust tests to match permission changes for routes * fix: remove certain pages from spotlight without admin * fix: app management not restricted
2024-10-05 17:03:32 +02:00
parent 770768eb21
commit 1421ccc917
28 changed files with 756 additions and 322 deletions
--- a/packages/api/src/router/integration/integration-router.ts
+++ b/packages/api/src/router/integration/integration-router.ts
@@ -4,6 +4,7 @@ import { decryptSecret, encryptSecret } from "@homarr/common/server";
 import type { Database } from "@homarr/db";
 import { and, asc, createId, eq, inArray, like } from "@homarr/db";
 import {
+  groupMembers,
  groupPermissions,
  integrationGroupPermissions,
  integrations,
@@ -14,20 +15,48 @@ import type { IntegrationSecretKind } from "@homarr/definitions";
 import { getPermissionsWithParents, integrationKinds, integrationSecretKindObject } from "@homarr/definitions";
 import { validation, z } from "@homarr/validation";

-import { createTRPCRouter, permissionRequiredProcedure, protectedProcedure } from "../../trpc";
+import { createTRPCRouter, permissionRequiredProcedure, protectedProcedure, publicProcedure } from "../../trpc";
 import { throwIfActionForbiddenAsync } from "./integration-access";
 import { testConnectionAsync } from "./integration-test-connection";

 export const integrationRouter = createTRPCRouter({
-  all: protectedProcedure.query(async ({ ctx }) => {
-    const integrations = await ctx.db.query.integrations.findMany();
+  all: publicProcedure.query(async ({ ctx }) => {
+    const groupsOfCurrentUser = await ctx.db.query.groupMembers.findMany({
+      where: eq(groupMembers.userId, ctx.session?.user.id ?? ""),
+    });
+
+    const integrations = await ctx.db.query.integrations.findMany({
+      with: {
+        userPermissions: {
+          where: eq(integrationUserPermissions.userId, ctx.session?.user.id ?? ""),
+        },
+        groupPermissions: {
+          where: inArray(
+            integrationGroupPermissions.groupId,
+            groupsOfCurrentUser.map((group) => group.groupId),
+          ),
+        },
+      },
+    });
    return integrations
-      .map((integration) => ({
-        id: integration.id,
-        name: integration.name,
-        kind: integration.kind,
-        url: integration.url,
-      }))
+      .map((integration) => {
+        const permissions = integration.userPermissions
+          .map(({ permission }) => permission)
+          .concat(integration.groupPermissions.map(({ permission }) => permission));
+
+        return {
+          id: integration.id,
+          name: integration.name,
+          kind: integration.kind,
+          url: integration.url,
+          permissions: {
+            hasUseAccess:
+              permissions.includes("use") || permissions.includes("interact") || permissions.includes("full"),
+            hasInteractAccess: permissions.includes("interact") || permissions.includes("full"),
+            hasFullAccess: permissions.includes("full"),
+          },
+        };
+      })
      .sort(
        (integrationA, integrationB) =>
          integrationKinds.indexOf(integrationA.kind) - integrationKinds.indexOf(integrationB.kind),