fix(security): validate bot access (#11978)

* fix(security): validate bot access * fix e2e
botpress · Jul 14, 2022 · 4277f5c · 4277f5c
1 parent 04f96eb
commit 4277f5c
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/packages/bp/src/core/security/router-security.ts b/packages/bp/src/core/security/router-security.ts
@@ -211,6 +211,11 @@ const checkPermissions = (workspaceService: WorkspaceService) => (
     return new ForbiddenError(`User "${email}" doesn't have access to workspace "${req.workspace}"`)
   }
 
+  const isBotIdValid = req.params.botId && req.params.botId !== ALL_BOTS
+  if (isBotIdValid && !(await workspaceService.isBotInWorkspace(req.workspace, req.params.botId))) {
+    return new NotFoundError(`Bot "${req.params.botId}" doesn't exist in workspace "${req.workspace}"`)
+  }
+
   const role = await workspaceService.getRoleForUser(email, strategy, req.workspace)
 
   if (!role || !checkRule(role.rules, operation, resource)) {

diff --git a/packages/bp/src/core/users/workspace-service.ts b/packages/bp/src/core/users/workspace-service.ts
@@ -370,6 +370,15 @@ export class WorkspaceService {
     return !!pipeline && pipeline.length > 1
   }
 
+  async isBotInWorkspace(workspaceId: string, botId: string): Promise<boolean> {
+    try {
+      const workspace = await this.findWorkspace(workspaceId)
+      return workspace.bots.includes(botId)
+    } catch (err) {
+      return false
+    }
+  }
+
   // @deprecated
   async listUsers(workspaceId?: string): Promise<WorkspaceUser[]> {
     if (workspaceId) {