fix(core): Restrict updating/deleting of shared but not owned credentials #7950
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
n8n-assistant
bot
added
core
krynble
reviewed
Dec 7, 2023
| @@ -160,6 +166,17 @@ credentialsController.patch( | |||
| ); | |||
| } | |||
|
|
|||
| if (sharing.role.name !== 'owner' && !(await req.user.hasGlobalScope('credential:update'))) { | |||
| Container.get(Logger).info( | |||
| 'Attempt to delete credential blocked due to lack of permissions', | |||
There was a problem hiding this comment.
Suggested change
| 'Attempt to delete credential blocked due to lack of permissions', | |
| 'Attempt to update credential blocked due to lack of permissions', |
krynble
approved these changes
Dec 7, 2023
Passing run #3228 ↗︎
Details:
Review all test suite changes for PR #7950 ↗︎ |
|||||||||||||||
|
✅ All Cypress E2E specs passed |
valya
deleted the
pay-1095-bug-any-shared-user-can-updatedelete-a-credential
branch
netroy
changed the title
ivov
added a commit
that referenced
this pull request
Dec 13, 2023
# [1.21.0](https://github.com/n8n-io/n8n/compare/n8n@1.20.0...n8n@1.21.0) (2023-12-13) ### Bug Fixes * **core:** Ensure inviter and invitee are set correctly in invite link ([#7943](#7943)) ([386bd61](386bd61)) * **core:** Fix user comparison in same-user subworkflow caller policy ([#7913](#7913)) ([92bab72](92bab72)) * **core:** Perform multi-main leader check against key ID ([#7964](#7964)) ([1a87f70](1a87f70)) * **core:** Ensure external hooks post workflow execute run in queue mode ([#7947](#7947)) ([3ba7deb](3ba7deb)) * **core:** Fix issue preventing secrets from loading if the path contains - or / ([#7988](#7988)) ([0ac9594](0ac9594)) * **core:** Restrict updating/deleting of shared but not owned credentials ([#7950](#7950)) ([42e828d](42e828d)) * **core:** Prevent workflow history saving error from happening ([#7812](#7812)) ([e5581ce](e5581ce)) * **editor:** Add missing string for worker in log streaming ([#7971](#7971)) ([148bc1d](148bc1d)) * **editor:** Allow SSH protocol in git repository URL for environments ([#7944](#7944)) ([bc1c72f](bc1c72f)) * **editor:** Fix bug with node names with certain characters ([#8013](#8013)) ([26f0d57](26f0d57)) * **editor:** Fix Webhook URL expansion icon ([#8011](#8011)) ([b00b905](b00b905)) * **editor:** Prevent opening NDV search if `/` is typed in a contenteditable element ([#7968](#7968)) ([e8a493f](e8a493f)) * **editor:** Return early in ws message handler if no 'command' keyword is found ([#7946](#7946)) ([5b2defc](5b2defc)) * **FileMaker Node:** Prevent erroring on zero fields loaded ([#7955](#7955)) ([10ad386](10ad386)) * **Google Sheets Node:** Prevent erroring on zero sheet search results ([#7957](#7957)) ([9b877a9](9b877a9)) * **Google Sheets Node:** Prevent erroring when fetching mapping columns ([#7972](#7972)) ([29a1066](29a1066)) * **Postgres Node:** Do not include id column in upsert fields selection if it's not unique ([#7975](#7975)) ([435392c](435392c)) * **Postgres Trigger Node:** Increase manual trigger timeout from 30 to 60 seconds ([#8015](#8015)) ([09a5729](09a5729)) * **Webhook Node:** Binary data handling ([#7804](#7804)) ([565b409](565b409)) * **Webhook Node:** Do not create binary data when there is no data in the request ([#8000](#8000)) ([70f0755](70f0755)) ### Features * **core:** Add config option for external secret update interval ([#7995](#7995)) ([b6c1c04](b6c1c04)) * AI nodes usability fixes + Summarization Chain V2 ([#7949](#7949)) ([dcf1286](dcf1286)) * **editor:** Data transformation nodes and actions in Nodes Panel ([#7760](#7760)) ([675ec21](675ec21)) * **editor:** Add AppCues tracking for onboarding event ([#7945](#7945)) ([04cabaf](04cabaf)) * **editor:** Add option to disable NDV in workflow previews ([#7990](#7990)) ([393afef](393afef)) * **editor:** Filter component + implement in If node ([#7490](#7490)) ([8a53434](8a53434)) * **editor:** Show template credential setup based on feature flag ([#7989](#7989)) ([08ee307](08ee307)) * **editor:** Introduce advanced permissions ([#7844](#7844)) ([dbd62a4](dbd62a4)) * **Google Ads Node:** Update to support v15 ([#7962](#7962)) ([7f01269](7f01269)) * **Local File Trigger Node:** Add polling option typically good to watch network files/folders ([#7942](#7942)) ([2fbdfec](2fbdfec)) * **n8n Form Trigger Node:** Improvements ([#7571](#7571)) ([953a58f](953a58f)) Co-authored-by: ivov <ivov@users.noreply.github.com>
|
Got released with |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fix shared members being able to edit and delete credentials they don't own
How to test the change:
Issues fixed
Include links to Github issue or Community forum post or Linear ticket:
...
Review / Merge checklist
(no-changelog)otherwise. (conventions)