fix(security): missing authorization check for changes to notebook widget (#2832)

packages/api/src/router/widgets/notebook.ts

@@ -3,9 +3,10 @@ import SuperJSON from "superjson";
 import { z } from "zod";
 
 import { eq } from "@homarr/db";
-import { items } from "@homarr/db/schema";
+import { boards, items } from "@homarr/db/schema";
 
 import { createTRPCRouter, protectedProcedure } from "../../trpc";
+import { throwIfActionForbiddenAsync } from "../board/board-access";
 
 export const notebookRouter = createTRPCRouter({
   updateContent: protectedProcedure
@@ -17,6 +18,8 @@ export const notebookRouter = createTRPCRouter({
       }),
     )
     .mutation(async ({ ctx, input }) => {
+      await throwIfActionForbiddenAsync(ctx, eq(boards.id, input.boardId), "modify");
+
       const item = await ctx.db.query.items.findFirst({
         where: eq(items.id, input.itemId),
       });

packages/widgets/src/notebook/notebook.tsx

@@ -67,6 +67,10 @@ import type { WidgetComponentProps } from "../definition";
 
 import "./notebook.css";
 
+import { useSession } from "@homarr/auth/client";
+import { constructBoardPermissions } from "@homarr/auth/shared";
+import { useRequiredBoard } from "@homarr/boards/context";
+
 const iconProps = {
   size: 30,
   stroke: 1.5,
@@ -81,8 +85,11 @@ export function Notebook({ options, isEditMode, boardId, itemId }: WidgetCompone
   const [content, setContent] = useState(options.content);
   const [toSaveContent, setToSaveContent] = useState(content);
 
-  // TODO: Add check for user permissions
+  const board = useRequiredBoard();
-  const enabled = !isEditMode;
+  const { data: session } = useSession();
+  const { hasChangeAccess } = constructBoardPermissions(board, session);
+
+  const enabled = !isEditMode && hasChangeAccess;
   const [isEditing, setIsEditing] = useState(false);
 
   const { primaryColor } = useMantineTheme();