From 3a35966def4b78de823143b5e40ab013dc8eedae Mon Sep 17 00:00:00 2001 From: aditya-mitra <55396651+aditya-mitra@users.noreply.github.com> Date: Fri, 27 Oct 2023 09:46:07 +0530 Subject: [PATCH 1/5] refactor scopes for `project` services --- .../projects/project-build/project-build.hooks.ts | 7 ++++--- .../project-github-push.hooks.ts | 2 +- .../project-invalidate/project-invalidate.hooks.ts | 5 +++-- .../project-permission/project-permission.hooks.ts | 8 ++++---- .../project-permission/project-permission.test.ts | 6 +++++- .../src/projects/project/project.hooks.ts | 13 +++++++------ .../server-core/src/projects/project/project.ts | 6 +++--- .../src/projects/scene-upload/scene-upload.hooks.ts | 3 ++- .../server-core/src/projects/scene/scene.hooks.ts | 8 ++++---- 9 files changed, 33 insertions(+), 25 deletions(-) diff --git a/packages/server-core/src/projects/project-build/project-build.hooks.ts b/packages/server-core/src/projects/project-build/project-build.hooks.ts index 5c277173c39..ac70924d38d 100644 --- a/packages/server-core/src/projects/project-build/project-build.hooks.ts +++ b/packages/server-core/src/projects/project-build/project-build.hooks.ts @@ -21,6 +21,7 @@ Ethereal Engine. All Rights Reserved. import { hooks as schemaHooks } from '@feathersjs/schema' import { projectBuildPatchValidator } from '@etherealengine/engine/src/schemas/projects/project-build.schema' +import { iff, isProvider } from 'feathers-hooks-common' import verifyScope from '../../hooks/verify-scope' import { projectBuildExternalResolver, @@ -35,14 +36,14 @@ export default { before: { all: [], - find: [verifyScope('admin', 'admin')], + find: [iff(isProvider('external'), verifyScope('projects', 'read'))], get: [], create: [], update: [], patch: [ + iff(isProvider('external'), verifyScope('projects', 'write')), () => schemaHooks.validateData(projectBuildPatchValidator), - schemaHooks.resolveData(projectBuildPatchResolver), - verifyScope('admin', 'admin') + schemaHooks.resolveData(projectBuildPatchResolver) ], remove: [] }, diff --git a/packages/server-core/src/projects/project-github-push/project-github-push.hooks.ts b/packages/server-core/src/projects/project-github-push/project-github-push.hooks.ts index 6fe42fc9fc8..41721b6f565 100644 --- a/packages/server-core/src/projects/project-github-push/project-github-push.hooks.ts +++ b/packages/server-core/src/projects/project-github-push/project-github-push.hooks.ts @@ -33,7 +33,7 @@ export default { get: [], create: [], update: [], - patch: [iff(isProvider('external'), verifyScope('editor', 'write') as any, projectPermissionAuthenticate('write'))], + patch: [iff(isProvider('external'), verifyScope('projects', 'write'), projectPermissionAuthenticate('write'))], remove: [] }, after: { diff --git a/packages/server-core/src/projects/project-invalidate/project-invalidate.hooks.ts b/packages/server-core/src/projects/project-invalidate/project-invalidate.hooks.ts index b9e3c47c865..243fab47707 100644 --- a/packages/server-core/src/projects/project-invalidate/project-invalidate.hooks.ts +++ b/packages/server-core/src/projects/project-invalidate/project-invalidate.hooks.ts @@ -21,6 +21,7 @@ Ethereal Engine. All Rights Reserved. import { hooks as schemaHooks } from '@feathersjs/schema' import { projectInvalidatePatchValidator } from '@etherealengine/engine/src/schemas/projects/project-invalidate.schema' +import { iff, isProvider } from 'feathers-hooks-common' import verifyScope from '../../hooks/verify-scope' import { projectInvalidatePatchResolver } from './project-invalidate.resolvers' @@ -36,9 +37,9 @@ export default { create: [], update: [], patch: [ + iff(isProvider('external'), verifyScope('projects', 'write')), () => schemaHooks.validateData(projectInvalidatePatchValidator), - schemaHooks.resolveData(projectInvalidatePatchResolver), - verifyScope('admin', 'admin') + schemaHooks.resolveData(projectInvalidatePatchResolver) ], remove: [] }, diff --git a/packages/server-core/src/projects/project-permission/project-permission.hooks.ts b/packages/server-core/src/projects/project-permission/project-permission.hooks.ts index 7d07cc711d3..13b81a75859 100644 --- a/packages/server-core/src/projects/project-permission/project-permission.hooks.ts +++ b/packages/server-core/src/projects/project-permission/project-permission.hooks.ts @@ -29,6 +29,7 @@ import { disallow, iff, isProvider } from 'feathers-hooks-common' import verifyProjectOwner from '../../hooks/verify-project-owner' import { INVITE_CODE_REGEX, USER_ID_REGEX } from '@etherealengine/common/src/constants/IdConstants' +import { checkScope } from '@etherealengine/engine/src/common/functions/checkScope' import { ProjectPermissionData, ProjectPermissionPatch, @@ -89,7 +90,6 @@ const checkExistingPermissions = async (context: HookContext scope.type === 'admin:admin') && selfUser.id === users.data[0].id) + ((await checkScope(selfUser, 'projects', 'write')) && selfUser.id === users.data[0].id) ? 'owner' : 'user' } @@ -143,8 +143,7 @@ const checkExistingPermissions = async (context: HookContext) => { if (!context.params.user) return false - if (context.params.user.scopes.find((scope) => scope.type === 'admin:admin')) return false - return true + return checkScope(context.params.user, 'projects', 'read') } /** @@ -173,6 +172,7 @@ const checkPermissionStatus = async (context: HookContext) => { const loggedInUser = context.params!.user! + if (await checkScope(loggedInUser, 'projects', 'read')) return if (loggedInUser.scopes?.find((scope) => scope.type === 'admin:admin')) return context const result = (Array.isArray(context.result) ? context.result : [context.result]) as ProjectPermissionType[] if (result[0].userId !== loggedInUser.id) throw new Forbidden('You do not own this project-permission') diff --git a/packages/server-core/src/projects/project-permission/project-permission.test.ts b/packages/server-core/src/projects/project-permission/project-permission.test.ts index b89cb415b7d..67ffab20937 100644 --- a/packages/server-core/src/projects/project-permission/project-permission.test.ts +++ b/packages/server-core/src/projects/project-permission/project-permission.test.ts @@ -144,7 +144,11 @@ describe('project-permission.test', () => { userId: user4.id }) await app.service(scopePath).create({ - type: 'admin:admin', + type: 'project:read', + userId: user4.id + }) + await app.service(scopePath).create({ + type: 'project:write', userId: user4.id }) }) diff --git a/packages/server-core/src/projects/project/project.hooks.ts b/packages/server-core/src/projects/project/project.hooks.ts index 8ee870221a2..cd730f81ad2 100644 --- a/packages/server-core/src/projects/project/project.hooks.ts +++ b/packages/server-core/src/projects/project/project.hooks.ts @@ -42,6 +42,7 @@ import verifyScope from '../../hooks/verify-scope' import { projectPermissionDataResolver } from '../project-permission/project-permission.resolvers' import { GITHUB_URL_REGEX } from '@etherealengine/common/src/constants/GitHubConstants' +import { checkScope } from '@etherealengine/engine/src/common/functions/checkScope' import { apiJobPath } from '@etherealengine/engine/src/schemas/cluster/api-job.schema' import { StaticResourceType, staticResourcePath } from '@etherealengine/engine/src/schemas/media/static-resource.schema' import { ProjectBuildUpdateItemType } from '@etherealengine/engine/src/schemas/projects/project-build.schema' @@ -125,7 +126,7 @@ const ensurePushStatus = async (context: HookContext) => { .select() .options({ nestTables: true }) - const allowedProjects = await projectPermissions.map((permission) => permission.project) + const allowedProjects = projectPermissions.map((permission) => permission.project) const repoAccess = githubIdentityProvider.data.length > 0 ? ((await context.app.service(githubRepoAccessPath).find({ @@ -175,7 +176,7 @@ const ensurePushStatus = async (context: HookContext) => { context.projectPushIds = context.projectPushIds.concat(matchingAllowedRepos.map((repo) => repo.id)) } - if (!context.params.user!.scopes?.find((scope) => scope.type === 'admin:admin')) + if (!(await checkScope(context.params.user!, 'projects', 'read'))) context.params.query.id = { $in: [...new Set(allowedProjects.map((project) => project.id))] } } } @@ -551,7 +552,7 @@ export default { find: [enableClientPagination(), ensurePushStatus, addLimitToParams], get: [], create: [ - iff(isProvider('external'), verifyScope('editor', 'write')), + iff(isProvider('external'), verifyScope('projects', 'write')), () => schemaHooks.validateData(projectDataValidator), schemaHooks.resolveData(projectDataResolver), checkIfProjectExists, @@ -560,18 +561,18 @@ export default { updateCreateData ], update: [ - iff(isProvider('external'), verifyScope('editor', 'write'), projectPermissionAuthenticate(false)), + iff(isProvider('external'), verifyScope('projects', 'write'), projectPermissionAuthenticate(false)), () => schemaHooks.validateData(projectPatchValidator), updateProjectJob ], patch: [ - iff(isProvider('external'), verifyScope('editor', 'write'), projectPermissionAuthenticate(false)), + iff(isProvider('external'), verifyScope('projects', 'write'), projectPermissionAuthenticate(false)), () => schemaHooks.validateData(projectPatchValidator), schemaHooks.resolveData(projectPatchResolver), iff(isProvider('external'), linkGithubToProject) ], remove: [ - iff(isProvider('external'), verifyScope('editor', 'write'), projectPermissionAuthenticate(false)), + iff(isProvider('external'), verifyScope('projects', 'write'), projectPermissionAuthenticate(false)), getProjectName, runProjectUninstallScript, removeProjectFiles, diff --git a/packages/server-core/src/projects/project/project.ts b/packages/server-core/src/projects/project/project.ts index a1e6beb23d7..757593cc511 100644 --- a/packages/server-core/src/projects/project/project.ts +++ b/packages/server-core/src/projects/project/project.ts @@ -75,14 +75,14 @@ export default (app: Application): void => { })) as any as ProjectPermissionType[] targetIds = targetIds.concat(projectOwners.map((permission) => permission.userId)) - const adminScopes = (await app.service(scopePath).find({ + const projectReadScopes = (await app.service(scopePath).find({ query: { - type: 'admin:admin' + type: 'projects:read' }, paginate: false })) as ScopeType[] - targetIds = targetIds.concat(adminScopes.map((admin) => admin.userId!)) + targetIds = targetIds.concat(projectReadScopes.map((admin) => admin.userId!)) targetIds = _.uniq(targetIds) return Promise.all(targetIds.map((userId: UserID) => app.channel(`userIds/${userId}`).send(data))) } catch (err) { diff --git a/packages/server-core/src/projects/scene-upload/scene-upload.hooks.ts b/packages/server-core/src/projects/scene-upload/scene-upload.hooks.ts index e52aa1d5804..f526829d723 100644 --- a/packages/server-core/src/projects/scene-upload/scene-upload.hooks.ts +++ b/packages/server-core/src/projects/scene-upload/scene-upload.hooks.ts @@ -18,6 +18,7 @@ All portions of the code written by the Ethereal Engine team are Copyright © 20 Ethereal Engine. All Rights Reserved. */ +import { iff, isProvider } from 'feathers-hooks-common' import verifyScope from '../../hooks/verify-scope' export default { @@ -29,7 +30,7 @@ export default { all: [], find: [], get: [], - create: [verifyScope('editor', 'write')], + create: [iff(isProvider('external'), verifyScope('scene', 'write'))], update: [], patch: [], remove: [] diff --git a/packages/server-core/src/projects/scene/scene.hooks.ts b/packages/server-core/src/projects/scene/scene.hooks.ts index 465e9694f41..c9a91c9da71 100755 --- a/packages/server-core/src/projects/scene/scene.hooks.ts +++ b/packages/server-core/src/projects/scene/scene.hooks.ts @@ -34,10 +34,10 @@ export default { all: [], find: [], get: [], - create: [iff(isProvider('external'), verifyScope('editor', 'write') as any, projectPermissionAuthenticate(false))], - update: [iff(isProvider('external'), verifyScope('editor', 'write') as any, projectPermissionAuthenticate(false))], - patch: [iff(isProvider('external'), verifyScope('editor', 'write') as any, projectPermissionAuthenticate(false))], - remove: [iff(isProvider('external'), verifyScope('editor', 'write') as any, projectPermissionAuthenticate(false))] + create: [iff(isProvider('external'), verifyScope('scene', 'write'), projectPermissionAuthenticate(false))], + update: [iff(isProvider('external'), verifyScope('scene', 'write'), projectPermissionAuthenticate(false))], + patch: [iff(isProvider('external'), verifyScope('scene', 'write'), projectPermissionAuthenticate(false))], + remove: [iff(isProvider('external'), verifyScope('scene', 'write'), projectPermissionAuthenticate(false))] }, after: { From af787cf86034d17111fef04cec116ab4035cb5a3 Mon Sep 17 00:00:00 2001 From: aditya-mitra <55396651+aditya-mitra@users.noreply.github.com> Date: Mon, 30 Oct 2023 18:38:31 +0530 Subject: [PATCH 2/5] tests: correction of scope name --- .../projects/project-permission/project-permission.test.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/server-core/src/projects/project-permission/project-permission.test.ts b/packages/server-core/src/projects/project-permission/project-permission.test.ts index 67ffab20937..e7ca74f7500 100644 --- a/packages/server-core/src/projects/project-permission/project-permission.test.ts +++ b/packages/server-core/src/projects/project-permission/project-permission.test.ts @@ -144,11 +144,11 @@ describe('project-permission.test', () => { userId: user4.id }) await app.service(scopePath).create({ - type: 'project:read', + type: 'projects:read', userId: user4.id }) await app.service(scopePath).create({ - type: 'project:write', + type: 'projects:write', userId: user4.id }) }) From da9eb19119731715916c583eeb69a8eef016bd61 Mon Sep 17 00:00:00 2001 From: aditya-mitra <55396651+aditya-mitra@users.noreply.github.com> Date: Tue, 31 Oct 2023 10:50:45 +0530 Subject: [PATCH 3/5] fix: `editor:write` scope for changing project data --- .../server-core/src/projects/project/project.hooks.ts | 8 ++++---- .../src/projects/scene-upload/scene-upload.hooks.ts | 2 +- packages/server-core/src/projects/scene/scene.hooks.ts | 8 ++++---- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/packages/server-core/src/projects/project/project.hooks.ts b/packages/server-core/src/projects/project/project.hooks.ts index 080b6515831..1728b5e52a3 100644 --- a/packages/server-core/src/projects/project/project.hooks.ts +++ b/packages/server-core/src/projects/project/project.hooks.ts @@ -552,7 +552,7 @@ export default { find: [enableClientPagination(), ensurePushStatus, addLimitToParams], get: [], create: [ - iff(isProvider('external'), verifyScope('projects', 'write')), + iff(isProvider('external'), verifyScope('editor', 'write')), () => schemaHooks.validateData(projectDataValidator), schemaHooks.resolveData(projectDataResolver), checkIfProjectExists, @@ -561,17 +561,17 @@ export default { updateCreateData ], update: [ - iff(isProvider('external'), verifyScope('projects', 'write'), projectPermissionAuthenticate(false)), + iff(isProvider('external'), verifyScope('editor', 'write'), projectPermissionAuthenticate(false)), updateProjectJob ], patch: [ - iff(isProvider('external'), verifyScope('projects', 'write'), projectPermissionAuthenticate(false)), + iff(isProvider('external'), verifyScope('editor', 'write'), projectPermissionAuthenticate(false)), () => schemaHooks.validateData(projectPatchValidator), schemaHooks.resolveData(projectPatchResolver), iff(isProvider('external'), linkGithubToProject) ], remove: [ - iff(isProvider('external'), verifyScope('projects', 'write'), projectPermissionAuthenticate(false)), + iff(isProvider('external'), verifyScope('editor', 'write'), projectPermissionAuthenticate(false)), getProjectName, runProjectUninstallScript, removeProjectFiles, diff --git a/packages/server-core/src/projects/scene-upload/scene-upload.hooks.ts b/packages/server-core/src/projects/scene-upload/scene-upload.hooks.ts index f526829d723..7e86a01e95f 100644 --- a/packages/server-core/src/projects/scene-upload/scene-upload.hooks.ts +++ b/packages/server-core/src/projects/scene-upload/scene-upload.hooks.ts @@ -30,7 +30,7 @@ export default { all: [], find: [], get: [], - create: [iff(isProvider('external'), verifyScope('scene', 'write'))], + create: [iff(isProvider('external'), verifyScope('editor', 'write'))], update: [], patch: [], remove: [] diff --git a/packages/server-core/src/projects/scene/scene.hooks.ts b/packages/server-core/src/projects/scene/scene.hooks.ts index c9a91c9da71..7d00e67a609 100755 --- a/packages/server-core/src/projects/scene/scene.hooks.ts +++ b/packages/server-core/src/projects/scene/scene.hooks.ts @@ -34,10 +34,10 @@ export default { all: [], find: [], get: [], - create: [iff(isProvider('external'), verifyScope('scene', 'write'), projectPermissionAuthenticate(false))], - update: [iff(isProvider('external'), verifyScope('scene', 'write'), projectPermissionAuthenticate(false))], - patch: [iff(isProvider('external'), verifyScope('scene', 'write'), projectPermissionAuthenticate(false))], - remove: [iff(isProvider('external'), verifyScope('scene', 'write'), projectPermissionAuthenticate(false))] + create: [iff(isProvider('external'), verifyScope('editor', 'write'), projectPermissionAuthenticate(false))], + update: [iff(isProvider('external'), verifyScope('editor', 'write'), projectPermissionAuthenticate(false))], + patch: [iff(isProvider('external'), verifyScope('editor', 'write'), projectPermissionAuthenticate(false))], + remove: [iff(isProvider('external'), verifyScope('editor', 'write'), projectPermissionAuthenticate(false))] }, after: { From a91f74a48e576773b4115081fb0cfa3444f9fb1b Mon Sep 17 00:00:00 2001 From: aditya-mitra <55396651+aditya-mitra@users.noreply.github.com> Date: Tue, 31 Oct 2023 10:57:58 +0530 Subject: [PATCH 4/5] fix: scope in verify-project-owner --- packages/server-core/src/hooks/verify-project-owner.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/server-core/src/hooks/verify-project-owner.ts b/packages/server-core/src/hooks/verify-project-owner.ts index eedcb09b174..024b41df62f 100644 --- a/packages/server-core/src/hooks/verify-project-owner.ts +++ b/packages/server-core/src/hooks/verify-project-owner.ts @@ -26,6 +26,7 @@ Ethereal Engine. All Rights Reserved. import { BadRequest, Forbidden, NotAuthenticated } from '@feathersjs/errors' import { HookContext, Paginated } from '@feathersjs/feathers' +import { checkScope } from '@etherealengine/engine/src/common/functions/checkScope' import { ProjectPermissionType, projectPermissionPath @@ -39,7 +40,7 @@ export default () => { if (context.params.isInternal) return context const loggedInUser = context.params.user as UserType if (!loggedInUser) throw new NotAuthenticated('No logged in user') - if (loggedInUser.scopes && loggedInUser.scopes.find((scope) => scope.type === 'admin:admin')) return context + if (loggedInUser.scopes && (await checkScope(loggedInUser, 'projects', 'write'))) return context const app = context.app const projectId = context.service === 'project' From 9583be3cca0a7b4da3c3a5c170492fea1d80684b Mon Sep 17 00:00:00 2001 From: aditya-mitra <55396651+aditya-mitra@users.noreply.github.com> Date: Wed, 1 Nov 2023 10:37:13 +0530 Subject: [PATCH 5/5] disallow methods not present in schema --- .../projects/project-build/project-build.hooks.ts | 10 +++++----- .../project-github-push/project-github-push.hooks.ts | 12 ++++++------ .../project-invalidate/project-invalidate.hooks.ts | 12 ++++++------ .../project-permission/project-permission.hooks.ts | 1 - .../src/projects/scene-upload/scene-upload.hooks.ts | 12 ++++++------ 5 files changed, 23 insertions(+), 24 deletions(-) diff --git a/packages/server-core/src/projects/project-build/project-build.hooks.ts b/packages/server-core/src/projects/project-build/project-build.hooks.ts index ac70924d38d..333b096e201 100644 --- a/packages/server-core/src/projects/project-build/project-build.hooks.ts +++ b/packages/server-core/src/projects/project-build/project-build.hooks.ts @@ -21,7 +21,7 @@ Ethereal Engine. All Rights Reserved. import { hooks as schemaHooks } from '@feathersjs/schema' import { projectBuildPatchValidator } from '@etherealengine/engine/src/schemas/projects/project-build.schema' -import { iff, isProvider } from 'feathers-hooks-common' +import { disallow, iff, isProvider } from 'feathers-hooks-common' import verifyScope from '../../hooks/verify-scope' import { projectBuildExternalResolver, @@ -37,15 +37,15 @@ export default { before: { all: [], find: [iff(isProvider('external'), verifyScope('projects', 'read'))], - get: [], - create: [], - update: [], + get: [disallow()], + create: [disallow()], + update: [disallow()], patch: [ iff(isProvider('external'), verifyScope('projects', 'write')), () => schemaHooks.validateData(projectBuildPatchValidator), schemaHooks.resolveData(projectBuildPatchResolver) ], - remove: [] + remove: [disallow()] }, after: { all: [], diff --git a/packages/server-core/src/projects/project-github-push/project-github-push.hooks.ts b/packages/server-core/src/projects/project-github-push/project-github-push.hooks.ts index 41721b6f565..155c02450f0 100644 --- a/packages/server-core/src/projects/project-github-push/project-github-push.hooks.ts +++ b/packages/server-core/src/projects/project-github-push/project-github-push.hooks.ts @@ -18,7 +18,7 @@ All portions of the code written by the Ethereal Engine team are Copyright © 20 Ethereal Engine. All Rights Reserved. */ -import { iff, isProvider } from 'feathers-hooks-common' +import { disallow, iff, isProvider } from 'feathers-hooks-common' import projectPermissionAuthenticate from '../../hooks/project-permission-authenticate' import verifyScope from '../../hooks/verify-scope' @@ -29,12 +29,12 @@ export default { before: { all: [], - find: [], - get: [], - create: [], - update: [], + find: [disallow()], + get: [disallow()], + create: [disallow()], + update: [disallow()], patch: [iff(isProvider('external'), verifyScope('projects', 'write'), projectPermissionAuthenticate('write'))], - remove: [] + remove: [disallow()] }, after: { all: [], diff --git a/packages/server-core/src/projects/project-invalidate/project-invalidate.hooks.ts b/packages/server-core/src/projects/project-invalidate/project-invalidate.hooks.ts index 243fab47707..8e6a8f20364 100644 --- a/packages/server-core/src/projects/project-invalidate/project-invalidate.hooks.ts +++ b/packages/server-core/src/projects/project-invalidate/project-invalidate.hooks.ts @@ -21,7 +21,7 @@ Ethereal Engine. All Rights Reserved. import { hooks as schemaHooks } from '@feathersjs/schema' import { projectInvalidatePatchValidator } from '@etherealengine/engine/src/schemas/projects/project-invalidate.schema' -import { iff, isProvider } from 'feathers-hooks-common' +import { disallow, iff, isProvider } from 'feathers-hooks-common' import verifyScope from '../../hooks/verify-scope' import { projectInvalidatePatchResolver } from './project-invalidate.resolvers' @@ -32,16 +32,16 @@ export default { before: { all: [], - find: [], - get: [], - create: [], - update: [], + find: [disallow()], + get: [disallow()], + create: [disallow()], + update: [disallow()], patch: [ iff(isProvider('external'), verifyScope('projects', 'write')), () => schemaHooks.validateData(projectInvalidatePatchValidator), schemaHooks.resolveData(projectInvalidatePatchResolver) ], - remove: [] + remove: [disallow()] }, after: { all: [], diff --git a/packages/server-core/src/projects/project-permission/project-permission.hooks.ts b/packages/server-core/src/projects/project-permission/project-permission.hooks.ts index 13b81a75859..c169a189e72 100644 --- a/packages/server-core/src/projects/project-permission/project-permission.hooks.ts +++ b/packages/server-core/src/projects/project-permission/project-permission.hooks.ts @@ -173,7 +173,6 @@ const checkPermissionStatus = async (context: HookContext) => { const loggedInUser = context.params!.user! if (await checkScope(loggedInUser, 'projects', 'read')) return - if (loggedInUser.scopes?.find((scope) => scope.type === 'admin:admin')) return context const result = (Array.isArray(context.result) ? context.result : [context.result]) as ProjectPermissionType[] if (result[0].userId !== loggedInUser.id) throw new Forbidden('You do not own this project-permission') } diff --git a/packages/server-core/src/projects/scene-upload/scene-upload.hooks.ts b/packages/server-core/src/projects/scene-upload/scene-upload.hooks.ts index 7e86a01e95f..d3b6d67221e 100644 --- a/packages/server-core/src/projects/scene-upload/scene-upload.hooks.ts +++ b/packages/server-core/src/projects/scene-upload/scene-upload.hooks.ts @@ -18,7 +18,7 @@ All portions of the code written by the Ethereal Engine team are Copyright © 20 Ethereal Engine. All Rights Reserved. */ -import { iff, isProvider } from 'feathers-hooks-common' +import { disallow, iff, isProvider } from 'feathers-hooks-common' import verifyScope from '../../hooks/verify-scope' export default { @@ -28,12 +28,12 @@ export default { before: { all: [], - find: [], - get: [], + find: [disallow()], + get: [disallow()], create: [iff(isProvider('external'), verifyScope('editor', 'write'))], - update: [], - patch: [], - remove: [] + update: [disallow()], + patch: [disallow()], + remove: [disallow()] }, after: { all: [],