Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fixes authorization checks for update product server action #2231

Merged
merged 3 commits into from
Mar 13, 2024
Merged

fix: fixes authorization checks for update product server action #2231

merged 3 commits into from
Mar 13, 2024

Conversation

pandeymangg
Copy link
Contributor

@pandeymangg pandeymangg commented Mar 13, 2024
edited

What does this PR do?

Adds authorization checks in the update product server action allowing only owner, admin and editor to update a product

Fixes # (issue)

How should this be tested?

  • Make the api call to update product service from a viewer or developer account
  • It should fail

Checklist

Required

  • Filled out the "How to test" section in this PR
  • Read How we Code at Formbricks
  • Self-reviewed my own code
  • Commented on my code in hard-to-understand bits
  • Ran pnpm build
  • Checked for warnings, there are none
  • Removed all console.logs
  • Merged the latest changes from main onto my branch with git pull origin main
  • My changes don't cause any responsiveness issues

Appreciated

  • If a UI change was made: Added a screen recording or screenshots to this PR
  • Updated the Formbricks Docs if changes were necessary

@vercel Vercel
Copy link

vercel bot commented Mar 13, 2024
edited

The latest updates on your projects. Learn more about Vercel for Git ↗︎

2 Ignored Deployments
Name Status Preview Comments Updated (UTC)
formbricks-cloud ⬜️ Ignored (Inspect) Visit Preview Mar 13, 2024 1:00pm
formbricks-com ⬜️ Ignored (Inspect) Visit Preview Mar 13, 2024 1:00pm

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 13, 2024
edited

Thank you for following the naming conventions for pull request titles! 🙏

@review-agent-prime Review Agent Prime
Copy link
Contributor

apps/web/app/(app)/environments/[environmentId]/settings/product/actions.ts

Instead of making two separate calls to get the team and then the membership, you could create a new function that gets the membership by the environmentId and userId directly. This would reduce the number of database calls and improve the performance of the code.
Create Issue
See the diff
Checkout the fix

    const membership = await getMembershipByEnvironmentIdUserId(environmentId, session.user.id);

    if (!membership) {
      throw new AuthorizationError("Not authorized");
    }

    if (membership.role === "viewer" || membership.role === "developer") {
      throw new AuthorizationError("You are not allowed to update products.");
    }
git fetch origin && git checkout -b ReviewBot/Impro-f2yn762 origin/ReviewBot/Impro-f2yn762

Instead of using multiple if statements to check the role of the user, you could use a switch statement. This would make the code more readable and easier to maintain.
Create Issue
See the diff
Checkout the fix

    switch (membership.role) {
      case "viewer":
      case "developer":
        throw new AuthorizationError("You are not allowed to update products.");
      default:
        const updatedProduct = await updateProduct(productId, data);
        return updatedProduct;
    }
git fetch origin && git checkout -b ReviewBot/Impro-i10vsvd origin/ReviewBot/Impro-i10vsvd

review-agent-prime[bot]
review-agent-prime bot reviewed Mar 13, 2024
View reviewed changes
apps/web/app/(app)/environments/[environmentId]/settings/product/actions.ts Outdated
Comment on lines 43 to 52
const team = await getTeamByEnvironmentId(environmentId);
const membership = team ? await getMembershipByUserIdTeamId(session.user.id, team.id) : null;

if (!membership) {
throw new AuthorizationError("Not authorized");
}

if (membership.role === "viewer" || membership.role === "developer") {
throw new AuthorizationError("You are not allowed to update products.");
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reducing the number of database calls by creating a new function that gets the membership by the environmentId and userId directly.

Suggested change
const team = await getTeamByEnvironmentId(environmentId);
const membership = team ? await getMembershipByUserIdTeamId(session.user.id, team.id) : null;
if (!membership) {
throw new AuthorizationError("Not authorized");
}
if (membership.role === "viewer" || membership.role === "developer") {
throw new AuthorizationError("You are not allowed to update products.");
}
const membership = await getMembershipByEnvironmentIdUserId(environmentId, session.user.id);
if (!membership) {
throw new AuthorizationError("Not authorized");
}
if (membership.role === "viewer" || membership.role === "developer") {
throw new AuthorizationError("You are not allowed to update products.");
}

review-agent-prime[bot]
review-agent-prime bot reviewed Mar 13, 2024
View reviewed changes
apps/web/app/(app)/environments/[environmentId]/settings/product/actions.ts Outdated
Comment on lines 50 to 55
if (membership.role === "viewer" || membership.role === "developer") {
throw new AuthorizationError("You are not allowed to update products.");
}

const updatedProduct = await updateProduct(productId, data);
return updatedProduct;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replaced the multiple if statements with a switch statement for better readability and maintainability.

Suggested change
if (membership.role === "viewer" || membership.role === "developer") {
throw new AuthorizationError("You are not allowed to update products.");
}
const updatedProduct = await updateProduct(productId, data);
return updatedProduct;
switch (membership.role) {
case "viewer":
case "developer":
throw new AuthorizationError("You are not allowed to update products.");
default:
const updatedProduct = await updateProduct(productId, data);
return updatedProduct;
}

mattinannt
mattinannt approved these changes Mar 13, 2024
View reviewed changes
Copy link
Member

@mattinannt mattinannt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pandeymangg thanks for fixing this and the quick turnaround! 💪

@mattinannt mattinannt added this pull request to the merge queue Mar 13, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 13, 2024
@mattinannt mattinannt added this pull request to the merge queue Mar 13, 2024
Merged via the queue into main with commit 6f78049 Mar 13, 2024
14 checks passed
@mattinannt mattinannt deleted the hotfix/product-update branch March 13, 2024 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@review-agent-prime review-agent-prime[bot] review-agent-prime left review comments

@mattinannt mattinannt mattinannt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@pandeymangg @mattinannt