From 7aff75bbd90279c59ba0e9710609cc8d2329f72d Mon Sep 17 00:00:00 2001
From: Roman Nastyuk <rnastyuk@exoft.net>
Date: Fri, 3 Oct 2025 15:42:03 +0300
Subject: [PATCH 1/2] fix(ang-925): fixed addons security issues

---
 .../project-addons.component.html             |  2 +-
 .../settings-addons.component.html            |  4 +--
 .../addon-card-list.component.html            |  2 +-
 .../addon-card-list.component.spec.ts         |  2 +-
 .../addon-card-list.component.ts              |  2 +-
 .../addon-card/addon-card.component.html      |  4 ++-
 .../addons/addon-card/addon-card.component.ts | 31 +++++++++++++++++--
 7 files changed, 38 insertions(+), 9 deletions(-)

diff --git a/src/app/features/project/project-addons/project-addons.component.html b/src/app/features/project/project-addons/project-addons.component.html
index b61ef5235..bf105fc8f 100644
--- a/src/app/features/project/project-addons/project-addons.component.html
+++ b/src/app/features/project/project-addons/project-addons.component.html
@@ -40,7 +40,7 @@
           </div>
         </section>
         @if (!isAllAddonsTabLoading()) {
-          <osf-addon-card-list [cards]="filteredAddonCards()" [showDangerButton]="false" />
+          <osf-addon-card-list [cards]="filteredAddonCards()" [isConnected]="false" />
         } @else {
           <div class="flex-1 mt-4 md:mt-8 lg:pt-5">
             <osf-loading-spinner />
diff --git a/src/app/features/settings/settings-addons/settings-addons.component.html b/src/app/features/settings/settings-addons/settings-addons.component.html
index 6e347e7b4..f75878339 100644
--- a/src/app/features/settings/settings-addons/settings-addons.component.html
+++ b/src/app/features/settings/settings-addons/settings-addons.component.html
@@ -43,7 +43,7 @@
         </section>
 
         @if (!isAddonsLoading()) {
-          <osf-addon-card-list [cards]="filteredAddonCards()" [showDangerButton]="false" />
+          <osf-addon-card-list [cards]="filteredAddonCards()" [isConnected]="false" />
         } @else {
           <div class="mt-8">
             <osf-loading-spinner />
@@ -62,7 +62,7 @@
         />
 
         @if (!isAuthorizedAddonsLoading()) {
-          <osf-addon-card-list [cards]="allAuthorizedAddons()" [showDangerButton]="true" />
+          <osf-addon-card-list [cards]="allAuthorizedAddons()" [isConnected]="true" />
         } @else {
           <div class="mt-8">
             <osf-loading-spinner />
diff --git a/src/app/shared/components/addons/addon-card-list/addon-card-list.component.html b/src/app/shared/components/addons/addon-card-list/addon-card-list.component.html
index ff6826ec2..6c46e5d4e 100644
--- a/src/app/shared/components/addons/addon-card-list/addon-card-list.component.html
+++ b/src/app/shared/components/addons/addon-card-list/addon-card-list.component.html
@@ -2,7 +2,7 @@
   @if (cards().length) {
     @for (card of cards(); track $index) {
       <div class="col-12 sm:col-6 md:col-6 lg:col-4">
-        <osf-addon-card [card]="card" [showDangerButton]="showDangerButton()" />
+        <osf-addon-card [card]="card" [isConnected]="isConnected()" />
       </div>
     }
   } @else {
diff --git a/src/app/shared/components/addons/addon-card-list/addon-card-list.component.spec.ts b/src/app/shared/components/addons/addon-card-list/addon-card-list.component.spec.ts
index 8b64c144d..a0a08d1ea 100644
--- a/src/app/shared/components/addons/addon-card-list/addon-card-list.component.spec.ts
+++ b/src/app/shared/components/addons/addon-card-list/addon-card-list.component.spec.ts
@@ -28,6 +28,6 @@ describe('AddonCardListComponent', () => {
   });
 
   it('should have default false value', () => {
-    expect(component.showDangerButton()).toBe(false);
+    expect(component.isConnected()).toBe(false);
   });
 });
diff --git a/src/app/shared/components/addons/addon-card-list/addon-card-list.component.ts b/src/app/shared/components/addons/addon-card-list/addon-card-list.component.ts
index 757788b99..c24567b46 100644
--- a/src/app/shared/components/addons/addon-card-list/addon-card-list.component.ts
+++ b/src/app/shared/components/addons/addon-card-list/addon-card-list.component.ts
@@ -14,5 +14,5 @@ import { AddonCardComponent } from '../addon-card/addon-card.component';
 })
 export class AddonCardListComponent {
   cards = input<(AddonModel | AuthorizedAccountModel | ConfiguredAddonModel | AddonCardModel)[]>([]);
-  showDangerButton = input<boolean>(false);
+  isConnected = input<boolean>(false);
 }
diff --git a/src/app/shared/components/addons/addon-card/addon-card.component.html b/src/app/shared/components/addons/addon-card/addon-card.component.html
index 3536dbd6c..51fd2c4ac 100644
--- a/src/app/shared/components/addons/addon-card/addon-card.component.html
+++ b/src/app/shared/components/addons/addon-card/addon-card.component.html
@@ -14,7 +14,7 @@
     <h3 class="text-center" data-test-addon-card-title>{{ actualAddon()?.displayName }}</h3>
 
     <div class="flex justify-content-center align-items-center md:gap-5 md:mt-3 btn-container">
-      @if (showDangerButton()) {
+      @if (isConnected()) {
         <p-button
           [label]="'settings.addons.form.buttons.disable' | translate"
           severity="danger"
@@ -26,6 +26,8 @@ <h3 class="text-center" data-test-addon-card-title>{{ actualAddon()?.displayName
       <p-button
         [label]="buttonLabel() | translate"
         severity="secondary"
+        [disabled]="!canConfigure()"
+        [class.opacity-0]="!canConfigure()"
         (onClick)="!isConfiguredAddon() ? onConnectAddon() : onConfigureAddon()"
       ></p-button>
     </div>
diff --git a/src/app/shared/components/addons/addon-card/addon-card.component.ts b/src/app/shared/components/addons/addon-card/addon-card.component.ts
index 2f72405b7..d37eb4f86 100644
--- a/src/app/shared/components/addons/addon-card/addon-card.component.ts
+++ b/src/app/shared/components/addons/addon-card/addon-card.component.ts
@@ -25,7 +25,7 @@ export class AddonCardComponent {
   private readonly actions = createDispatchMap({ deleteAuthorizedAddon: DeleteAuthorizedAddon });
 
   readonly card = input<AddonModel | AuthorizedAccountModel | ConfiguredAddonModel | AddonCardModel | null>(null);
-  readonly showDangerButton = input<boolean>(false);
+  readonly isConnected = input<boolean>(false);
 
   readonly actualAddon = computed(() => {
     const actualCard = this.card();
@@ -50,8 +50,35 @@ export class AddonCardComponent {
     return isConfiguredAddon(actualCard);
   });
 
+  readonly canConfigure = computed(() => {
+    const isConfigured = this.isConfiguredAddon();
+
+    if (!isConfigured) return true;
+
+    const addon = this.card();
+
+    if (!addon) return true;
+
+    if ('configuredAddon' in addon && addon.configuredAddon) {
+      return addon.configuredAddon.currentUserIsOwner;
+    }
+
+    if ('currentUserIsOwner' in addon) {
+      return addon.currentUserIsOwner;
+    }
+
+    return true;
+  });
+
   readonly buttonLabel = computed(() => {
-    return this.isConfiguredAddon() ? 'settings.addons.form.buttons.configure' : 'settings.addons.form.buttons.connect';
+    const isConfigured = this.isConfiguredAddon();
+    const isConnected = this.isConnected();
+
+    if (isConfigured) {
+      return 'settings.addons.form.buttons.configure';
+    }
+
+    return isConnected ? 'settings.addons.form.buttons.reconnect' : 'settings.addons.form.buttons.connect';
   });
 
   onConnectAddon(): void {

From 2d1d689d010afdc1cb6ec369219af4b1e2fbd69b Mon Sep 17 00:00:00 2001
From: Roman Nastyuk <rnastyuk@exoft.net>
Date: Fri, 3 Oct 2025 16:31:09 +0300
Subject: [PATCH 2/2] fix(ang-925): fixed permissions issue for addons

---
 .../configure-addon.component.html               | 14 ++++++++------
 .../configure-addon/configure-addon.component.ts |  1 +
 .../project-addons/project-addons.component.html | 12 ++++++++++--
 .../project-addons/project-addons.component.ts   |  2 ++
 .../settings-addons.component.html               |  4 ++--
 .../addon-card-list.component.html               |  2 +-
 .../addon-card-list/addon-card-list.component.ts |  1 +
 .../addons/addon-card/addon-card.component.ts    | 16 +++-------------
 8 files changed, 28 insertions(+), 24 deletions(-)

diff --git a/src/app/features/project/project-addons/components/configure-addon/configure-addon.component.html b/src/app/features/project/project-addons/components/configure-addon/configure-addon.component.html
index 977fdcf37..196a27a5e 100644
--- a/src/app/features/project/project-addons/components/configure-addon/configure-addon.component.html
+++ b/src/app/features/project/project-addons/components/configure-addon/configure-addon.component.html
@@ -24,12 +24,14 @@ <h2 class="align-self-center inline-block">
               </p>
 
               <div class="flex gap-2">
-                <p-button
-                  icon="fas fa-pencil"
-                  text
-                  (click)="toggleEditMode()"
-                  (keydown.enter)="toggleEditMode()"
-                ></p-button>
+                @if (canRename()) {
+                  <p-button
+                    icon="fas fa-pencil"
+                    text
+                    (click)="toggleEditMode()"
+                    (keydown.enter)="toggleEditMode()"
+                  ></p-button>
+                }
                 <p-button
                   icon="fas fa-trash"
                   severity="danger"
diff --git a/src/app/features/project/project-addons/components/configure-addon/configure-addon.component.ts b/src/app/features/project/project-addons/components/configure-addon/configure-addon.component.ts
index c30d2c0f2..16b2e9294 100644
--- a/src/app/features/project/project-addons/components/configure-addon/configure-addon.component.ts
+++ b/src/app/features/project/project-addons/components/configure-addon/configure-addon.component.ts
@@ -72,6 +72,7 @@ export class ConfigureAddonComponent implements OnInit {
   addon = signal<ConfiguredAddonModel | null>(null);
 
   readonly isGoogleDrive = computed(() => this.storageAddon()?.wbKey === 'googledrive');
+  readonly canRename = computed(() => this.addon()?.currentUserIsOwner ?? false);
 
   isEditMode = signal<boolean>(false);
   selectedStorageItemId = signal('');
diff --git a/src/app/features/project/project-addons/project-addons.component.html b/src/app/features/project/project-addons/project-addons.component.html
index bf105fc8f..a318e1f44 100644
--- a/src/app/features/project/project-addons/project-addons.component.html
+++ b/src/app/features/project/project-addons/project-addons.component.html
@@ -40,7 +40,11 @@
           </div>
         </section>
         @if (!isAllAddonsTabLoading()) {
-          <osf-addon-card-list [cards]="filteredAddonCards()" [isConnected]="false" />
+          <osf-addon-card-list
+            [cards]="filteredAddonCards()"
+            [isConnected]="false"
+            [hasAdminAccess]="hasAdminAccess()"
+          />
         } @else {
           <div class="flex-1 mt-4 md:mt-8 lg:pt-5">
             <osf-loading-spinner />
@@ -58,7 +62,11 @@
         />
 
         @if (!isConfiguredAddonsLoading()) {
-          <osf-addon-card-list [cards]="allConfiguredAddons()" />
+          <osf-addon-card-list
+            [cards]="allConfiguredAddons()"
+            [isConnected]="false"
+            [hasAdminAccess]="hasAdminAccess()"
+          />
         } @else {
           <div class="flex-1 mt-6 md:mt-8 lg:pt-7">
             <osf-loading-spinner />
diff --git a/src/app/features/project/project-addons/project-addons.component.ts b/src/app/features/project/project-addons/project-addons.component.ts
index 1c836492d..afef047ac 100644
--- a/src/app/features/project/project-addons/project-addons.component.ts
+++ b/src/app/features/project/project-addons/project-addons.component.ts
@@ -41,6 +41,7 @@ import {
   GetLinkAddons,
   GetStorageAddons,
 } from '@shared/stores/addons';
+import { CurrentResourceSelectors } from '@shared/stores/current-resource';
 
 @Component({
   selector: 'osf-project-addons',
@@ -75,6 +76,7 @@ export class ProjectAddonsComponent implements OnInit {
   selectedTab = signal<number>(this.defaultTabValue);
 
   currentUser = select(UserSelectors.getCurrentUser);
+  hasAdminAccess = select(CurrentResourceSelectors.hasAdminAccess);
   addonsResourceReference = select(AddonsSelectors.getAddonsResourceReference);
   addonsUserReference = select(AddonsSelectors.getAddonsUserReference);
   storageAddons = select(AddonsSelectors.getStorageAddons);
diff --git a/src/app/features/settings/settings-addons/settings-addons.component.html b/src/app/features/settings/settings-addons/settings-addons.component.html
index f75878339..fe79a2592 100644
--- a/src/app/features/settings/settings-addons/settings-addons.component.html
+++ b/src/app/features/settings/settings-addons/settings-addons.component.html
@@ -43,7 +43,7 @@
         </section>
 
         @if (!isAddonsLoading()) {
-          <osf-addon-card-list [cards]="filteredAddonCards()" [isConnected]="false" />
+          <osf-addon-card-list [cards]="filteredAddonCards()" [isConnected]="false" [hasAdminAccess]="true" />
         } @else {
           <div class="mt-8">
             <osf-loading-spinner />
@@ -62,7 +62,7 @@
         />
 
         @if (!isAuthorizedAddonsLoading()) {
-          <osf-addon-card-list [cards]="allAuthorizedAddons()" [isConnected]="true" />
+          <osf-addon-card-list [cards]="allAuthorizedAddons()" [isConnected]="true" [hasAdminAccess]="true" />
         } @else {
           <div class="mt-8">
             <osf-loading-spinner />
diff --git a/src/app/shared/components/addons/addon-card-list/addon-card-list.component.html b/src/app/shared/components/addons/addon-card-list/addon-card-list.component.html
index 6c46e5d4e..a9b81d562 100644
--- a/src/app/shared/components/addons/addon-card-list/addon-card-list.component.html
+++ b/src/app/shared/components/addons/addon-card-list/addon-card-list.component.html
@@ -2,7 +2,7 @@
   @if (cards().length) {
     @for (card of cards(); track $index) {
       <div class="col-12 sm:col-6 md:col-6 lg:col-4">
-        <osf-addon-card [card]="card" [isConnected]="isConnected()" />
+        <osf-addon-card [card]="card" [isConnected]="isConnected()" [hasAdminAccess]="hasAdminAccess()" />
       </div>
     }
   } @else {
diff --git a/src/app/shared/components/addons/addon-card-list/addon-card-list.component.ts b/src/app/shared/components/addons/addon-card-list/addon-card-list.component.ts
index c24567b46..546b49fd2 100644
--- a/src/app/shared/components/addons/addon-card-list/addon-card-list.component.ts
+++ b/src/app/shared/components/addons/addon-card-list/addon-card-list.component.ts
@@ -15,4 +15,5 @@ import { AddonCardComponent } from '../addon-card/addon-card.component';
 export class AddonCardListComponent {
   cards = input<(AddonModel | AuthorizedAccountModel | ConfiguredAddonModel | AddonCardModel)[]>([]);
   isConnected = input<boolean>(false);
+  hasAdminAccess = input<boolean>(false);
 }
diff --git a/src/app/shared/components/addons/addon-card/addon-card.component.ts b/src/app/shared/components/addons/addon-card/addon-card.component.ts
index d37eb4f86..44aaf058c 100644
--- a/src/app/shared/components/addons/addon-card/addon-card.component.ts
+++ b/src/app/shared/components/addons/addon-card/addon-card.component.ts
@@ -26,6 +26,7 @@ export class AddonCardComponent {
 
   readonly card = input<AddonModel | AuthorizedAccountModel | ConfiguredAddonModel | AddonCardModel | null>(null);
   readonly isConnected = input<boolean>(false);
+  readonly hasAdminAccess = input<boolean>(false);
 
   readonly actualAddon = computed(() => {
     const actualCard = this.card();
@@ -52,22 +53,11 @@ export class AddonCardComponent {
 
   readonly canConfigure = computed(() => {
     const isConfigured = this.isConfiguredAddon();
+    const hasAdmin = this.hasAdminAccess();
 
     if (!isConfigured) return true;
 
-    const addon = this.card();
-
-    if (!addon) return true;
-
-    if ('configuredAddon' in addon && addon.configuredAddon) {
-      return addon.configuredAddon.currentUserIsOwner;
-    }
-
-    if ('currentUserIsOwner' in addon) {
-      return addon.currentUserIsOwner;
-    }
-
-    return true;
+    return hasAdmin;
   });
 
   readonly buttonLabel = computed(() => {