From 95d6e2eeb6cbe2a1da31f3979411a044d828d9b6 Mon Sep 17 00:00:00 2001
From: aditya-mitra <55396651+aditya-mitra@users.noreply.github.com>
Date: Fri, 27 Oct 2023 08:49:06 +0530
Subject: [PATCH 1/3] refactor scopes for `media` services

---
 .../src/media/file-browser/file-browser.hooks.ts   | 11 ++++++++---
 .../static-resource-filters.hooks.ts               |  3 ++-
 .../media/static-resource/static-resource.hooks.ts | 14 ++++++--------
 3 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/packages/server-core/src/media/file-browser/file-browser.hooks.ts b/packages/server-core/src/media/file-browser/file-browser.hooks.ts
index 3a501bf3843..4cc79ac0619 100755
--- a/packages/server-core/src/media/file-browser/file-browser.hooks.ts
+++ b/packages/server-core/src/media/file-browser/file-browser.hooks.ts
@@ -35,24 +35,29 @@ import verifyScope from '../../hooks/verify-scope'
 
 export default {
   before: {
-    all: [iff(isProvider('external'), verifyScope('editor', 'write'))],
+    all: [iff(isProvider('external'), verifyScope('editor', 'read'))],
     find: [],
     get: [],
     create: [
+      iff(isProvider('external'), verifyScope('editor', 'write')),
       (context) => {
         context[SYNC] = false
         return context
       }
     ],
-    update: [() => schemaHooks.validateData(fileBrowserUpdateValidator)],
+    update: [
+      iff(isProvider('external'), verifyScope('editor', 'write')),
+      () => schemaHooks.validateData(fileBrowserUpdateValidator)
+    ],
     patch: [
+      iff(isProvider('external'), verifyScope('editor', 'write')),
       (context) => {
         context[SYNC] = false
         return context
       },
       () => schemaHooks.validateData(fileBrowserPatchValidator)
     ],
-    remove: []
+    remove: [iff(isProvider('external'), verifyScope('editor', 'write'))]
   },
 
   after: {
diff --git a/packages/server-core/src/media/static-resource-filters/static-resource-filters.hooks.ts b/packages/server-core/src/media/static-resource-filters/static-resource-filters.hooks.ts
index 7642248d42a..790bb614f36 100644
--- a/packages/server-core/src/media/static-resource-filters/static-resource-filters.hooks.ts
+++ b/packages/server-core/src/media/static-resource-filters/static-resource-filters.hooks.ts
@@ -21,6 +21,7 @@ Ethereal Engine. All Rights Reserved.
 import { staticResourceFiltersQueryValidator } from '@etherealengine/engine/src/schemas/media/static-resource-filters.schema'
 import { hooks as schemaHooks } from '@feathersjs/schema'
 
+import { iff, isProvider } from 'feathers-hooks-common'
 import verifyScope from '../../hooks/verify-scope'
 import {
   staticResourceFiltersExternalResolver,
@@ -38,7 +39,7 @@ export default {
 
   before: {
     all: [
-      verifyScope('admin', 'admin'),
+      iff(isProvider('external'), verifyScope('static_resource', 'read')),
       () => schemaHooks.validateQuery(staticResourceFiltersQueryValidator),
       schemaHooks.resolveQuery(staticResourceFiltersQueryResolver)
     ],
diff --git a/packages/server-core/src/media/static-resource/static-resource.hooks.ts b/packages/server-core/src/media/static-resource/static-resource.hooks.ts
index ae89b302070..00aa458a3a7 100755
--- a/packages/server-core/src/media/static-resource/static-resource.hooks.ts
+++ b/packages/server-core/src/media/static-resource/static-resource.hooks.ts
@@ -23,7 +23,7 @@ All portions of the code written by the Ethereal Engine team are Copyright © 20
 Ethereal Engine. All Rights Reserved.
 */
 import { hooks as schemaHooks } from '@feathersjs/schema'
-import { disallow } from 'feathers-hooks-common'
+import { disallow, iff, isProvider } from 'feathers-hooks-common'
 
 import {
   staticResourceDataValidator,
@@ -76,27 +76,25 @@ export default {
 
   before: {
     all: [
+      iff(isProvider('external'), verifyScope('static_resource', 'read')),
       () => schemaHooks.validateQuery(staticResourceQueryValidator),
       schemaHooks.resolveQuery(staticResourceQueryResolver)
     ],
     find: [collectAnalytics()],
     get: [disallow('external')],
     create: [
+      iff(isProvider('external'), verifyScope('static_resource', 'write')),
       setLoggedinUserInBody('userId'),
-      verifyScope('admin', 'admin'),
       () => schemaHooks.validateData(staticResourceDataValidator),
       schemaHooks.resolveData(staticResourceDataResolver)
     ],
-    update: [verifyScope('admin', 'admin')],
+    update: [iff(isProvider('external'), verifyScope('static_resource', 'write'))],
     patch: [
-      verifyScope('admin', 'admin'),
+      iff(isProvider('external'), verifyScope('static_resource', 'write')),
       () => schemaHooks.validateData(staticResourcePatchValidator),
       schemaHooks.resolveData(staticResourcePatchResolver)
     ],
-    remove: [
-      // iff(isProvider('external'), verifyScope('admin', 'admin') as any),
-      ensureResource
-    ]
+    remove: [iff(isProvider('external'), verifyScope('static_resource', 'write')), ensureResource]
   },
 
   after: {

From 24b089b93cce3a6e645b7dfd054be8809fcb8b1d Mon Sep 17 00:00:00 2001
From: aditya-mitra <55396651+aditya-mitra@users.noreply.github.com>
Date: Mon, 30 Oct 2023 12:10:46 +0530
Subject: [PATCH 2/3] fix: file-browser only has `editor:write` scope

---
 .../src/media/file-browser/file-browser.hooks.ts      | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/packages/server-core/src/media/file-browser/file-browser.hooks.ts b/packages/server-core/src/media/file-browser/file-browser.hooks.ts
index 4cc79ac0619..3a501bf3843 100755
--- a/packages/server-core/src/media/file-browser/file-browser.hooks.ts
+++ b/packages/server-core/src/media/file-browser/file-browser.hooks.ts
@@ -35,29 +35,24 @@ import verifyScope from '../../hooks/verify-scope'
 
 export default {
   before: {
-    all: [iff(isProvider('external'), verifyScope('editor', 'read'))],
+    all: [iff(isProvider('external'), verifyScope('editor', 'write'))],
     find: [],
     get: [],
     create: [
-      iff(isProvider('external'), verifyScope('editor', 'write')),
       (context) => {
         context[SYNC] = false
         return context
       }
     ],
-    update: [
-      iff(isProvider('external'), verifyScope('editor', 'write')),
-      () => schemaHooks.validateData(fileBrowserUpdateValidator)
-    ],
+    update: [() => schemaHooks.validateData(fileBrowserUpdateValidator)],
     patch: [
-      iff(isProvider('external'), verifyScope('editor', 'write')),
       (context) => {
         context[SYNC] = false
         return context
       },
       () => schemaHooks.validateData(fileBrowserPatchValidator)
     ],
-    remove: [iff(isProvider('external'), verifyScope('editor', 'write'))]
+    remove: []
   },
 
   after: {

From aee88b67ff2cf8abaecb33a0de2b13e67c737a59 Mon Sep 17 00:00:00 2001
From: aditya-mitra <55396651+aditya-mitra@users.noreply.github.com>
Date: Wed, 1 Nov 2023 09:48:04 +0530
Subject: [PATCH 3/3] seperate read scopes for `find` and `get`

---
 .../static-resource-filters.hooks.ts              | 15 +++++++--------
 .../static-resource/static-resource.hooks.ts      |  5 ++---
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/packages/server-core/src/media/static-resource-filters/static-resource-filters.hooks.ts b/packages/server-core/src/media/static-resource-filters/static-resource-filters.hooks.ts
index 790bb614f36..8bc94f7932c 100644
--- a/packages/server-core/src/media/static-resource-filters/static-resource-filters.hooks.ts
+++ b/packages/server-core/src/media/static-resource-filters/static-resource-filters.hooks.ts
@@ -21,7 +21,7 @@ Ethereal Engine. All Rights Reserved.
 import { staticResourceFiltersQueryValidator } from '@etherealengine/engine/src/schemas/media/static-resource-filters.schema'
 import { hooks as schemaHooks } from '@feathersjs/schema'
 
-import { iff, isProvider } from 'feathers-hooks-common'
+import { disallow, iff, isProvider } from 'feathers-hooks-common'
 import verifyScope from '../../hooks/verify-scope'
 import {
   staticResourceFiltersExternalResolver,
@@ -39,16 +39,15 @@ export default {
 
   before: {
     all: [
-      iff(isProvider('external'), verifyScope('static_resource', 'read')),
       () => schemaHooks.validateQuery(staticResourceFiltersQueryValidator),
       schemaHooks.resolveQuery(staticResourceFiltersQueryResolver)
     ],
-    find: [],
-    get: [],
-    create: [],
-    update: [],
-    patch: [],
-    remove: []
+    find: [disallow()],
+    get: [iff(isProvider('external'), verifyScope('static_resource', 'read'))],
+    create: [disallow()],
+    update: [disallow()],
+    patch: [disallow()],
+    remove: [disallow()]
   },
   after: {
     all: [],
diff --git a/packages/server-core/src/media/static-resource/static-resource.hooks.ts b/packages/server-core/src/media/static-resource/static-resource.hooks.ts
index 00aa458a3a7..968063d222c 100755
--- a/packages/server-core/src/media/static-resource/static-resource.hooks.ts
+++ b/packages/server-core/src/media/static-resource/static-resource.hooks.ts
@@ -76,11 +76,10 @@ export default {
 
   before: {
     all: [
-      iff(isProvider('external'), verifyScope('static_resource', 'read')),
       () => schemaHooks.validateQuery(staticResourceQueryValidator),
       schemaHooks.resolveQuery(staticResourceQueryResolver)
     ],
-    find: [collectAnalytics()],
+    find: [iff(isProvider('external'), verifyScope('static_resource', 'read')), collectAnalytics()],
     get: [disallow('external')],
     create: [
       iff(isProvider('external'), verifyScope('static_resource', 'write')),
@@ -88,7 +87,7 @@ export default {
       () => schemaHooks.validateData(staticResourceDataValidator),
       schemaHooks.resolveData(staticResourceDataResolver)
     ],
-    update: [iff(isProvider('external'), verifyScope('static_resource', 'write'))],
+    update: [disallow()],
     patch: [
       iff(isProvider('external'), verifyScope('static_resource', 'write')),
       () => schemaHooks.validateData(staticResourcePatchValidator),