diff --git a/src/backend/src/modules/apps/ProtectedAppService.js b/src/backend/src/modules/apps/ProtectedAppService.js index 7b17644350..5adc302b18 100644 --- a/src/backend/src/modules/apps/ProtectedAppService.js +++ b/src/backend/src/modules/apps/ProtectedAppService.js @@ -59,7 +59,7 @@ class ProtectedAppService extends BaseService { // Owner of procted app has implicit permission to access it svc_permission.register_implicator(PermissionImplicator.create({ matcher: permission => { - return permission.startsWith('app:'); + return permission.startsWith('app:') || permission.startsWith('manage:app'); }, checker: async ({ actor, permission }) => { if ( ! (actor.type instanceof UserActorType) ) { @@ -67,10 +67,12 @@ class ProtectedAppService extends BaseService { } const parts = PermissionUtil.split(permission); - if ( parts.length !== 3 ) return undefined; - const [_, uid_part, lvl] = parts; - if ( lvl !== 'access' ) return undefined; + if ( parts[0] === 'manage' ) parts.shift(); + + if ( parts.length < 2 ) return undefined; + + const [_, uid_part] = parts; // track: slice a prefix const uid = uid_part.slice('uid#'.length); diff --git a/src/backend/src/services/auth/PermissionService.js b/src/backend/src/services/auth/PermissionService.js index d55d6f8a08..88bd867288 100644 --- a/src/backend/src/services/auth/PermissionService.js +++ b/src/backend/src/services/auth/PermissionService.js @@ -887,9 +887,7 @@ class PermissionService extends BaseService { // DELETE permission await this.services.get('su').sudo(() => - this.kvService.set(PermissionUtil.join(PERM_KEY_PREFIX, user.id, permission), { - deleted: true, - })); + this.kvService.del({ key: PermissionUtil.join(PERM_KEY_PREFIX, user.id, permission) })); } /**