From ce8692b1ee7fe9f4156667f5e6f44b21df136630 Mon Sep 17 00:00:00 2001
From: Sebastian Seggewiss <s.seggewiss@shopware.com>
Date: Thu, 5 Oct 2023 14:58:09 +0200
Subject: [PATCH] NEXT-30849 - Fix permission errors

---
 CHANGELOG.md                      |  6 +++
 devenv.lock                       | 26 +++++++++--
 package-lock.json                 |  4 +-
 package.json                      |  2 +-
 src/_internals/validator/index.ts | 67 ---------------------------
 src/channel.ts                    | 76 +------------------------------
 6 files changed, 33 insertions(+), 148 deletions(-)
 delete mode 100644 src/_internals/validator/index.ts

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 23cf9524..0d46d240 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## [3.0.15] - 05.10.2023
+
+## Removed
+
+- Removed client side permission validation based on Entities and EntityCollections
+
 ## [3.0.13] - 21.07.2023
 
 ## Fixed
diff --git a/devenv.lock b/devenv.lock
index 8019a3b6..021070eb 100644
--- a/devenv.lock
+++ b/devenv.lock
@@ -34,12 +34,15 @@
       }
     },
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "lastModified": 1685518550,
+        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
         "type": "github"
       },
       "original": {
@@ -96,7 +99,7 @@
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -131,6 +134,21 @@
         "nixpkgs": "nixpkgs",
         "pre-commit-hooks": "pre-commit-hooks"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/package-lock.json b/package-lock.json
index abc3de02..d602ec83 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@shopware-ag/admin-extension-sdk",
-  "version": "3.0.10",
+  "version": "3.1.0",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "@shopware-ag/admin-extension-sdk",
-      "version": "3.0.10",
+      "version": "3.1.0",
       "license": "MIT",
       "dependencies": {
         "localforage": "^1.10.0",
diff --git a/package.json b/package.json
index 2df01823..e1d2d402 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@shopware-ag/admin-extension-sdk",
   "license": "MIT",
-  "version": "3.0.14",
+  "version": "3.0.15",
   "repository": "git://github.com/shopware/admin-extension-sdk.git",
   "description": "The SDK for App iframes to communicate with the Shopware Administration",
   "keywords": [
diff --git a/src/_internals/validator/index.ts b/src/_internals/validator/index.ts
deleted file mode 100644
index 24875531..00000000
--- a/src/_internals/validator/index.ts
+++ /dev/null
@@ -1,67 +0,0 @@
-/* eslint-disable @typescript-eslint/no-unsafe-assignment */
-/* eslint-disable @typescript-eslint/no-unsafe-member-access */
-/* eslint-disable @typescript-eslint/no-explicit-any */
-import type { privilegeString } from '../../privileges/privilege-resolver';
-import type { privileges } from '../../privileges/privilege-resolver';
-import type { ShopwareMessageTypes } from '../../messages.types';
-import { findExtensionByBaseUrl } from '../../privileges/privilege-resolver';
-import { traverseObject } from '../utils';
-import MissingPrivilegesError from '../../privileges/missing-privileges-error';
-
-export default function validate({
-  serializedData,
-  origin,
-  type,
-  privilegesToCheck = [],
-}: {
-  serializedData: any,
-  origin: string,
-  type: keyof ShopwareMessageTypes,
-  privilegesToCheck: (keyof privileges)[],
-}): Error|null {
-  if (origin === undefined) {
-    return null;
-  }
-
-  const extension = findExtensionByBaseUrl(origin);
-
-  if (!extension) {
-    console.warn(`No extension found for origin "${origin}"`);
-    return null;
-  }
-
-  // Check privileges for entity
-  const privilegeErrors: privilegeString[] = [];
-
-  traverseObject(serializedData, (parentEntry, key, value) => {
-    if (key === '__type__' && ['__EntityCollection__', '__Entity__'].includes(value as string)) {
-      const entityName = parentEntry.__entityName__ as string;
-
-      if (!entityName) {
-        return;
-      }
-
-      [...privilegesToCheck].sort().forEach(privilege => {
-        const permissionsForPrivilege = extension.permissions[privilege];
-        if (
-          (
-            !permissionsForPrivilege ||
-            !permissionsForPrivilege.includes(entityName)
-          )
-          &&
-          !privilegeErrors.includes(`${privilege}:${entityName}`)
-          &&
-          !permissionsForPrivilege?.includes('*')
-        ) {
-          privilegeErrors.push(`${privilege}:${entityName}`);
-        }
-      });
-    }
-  });
-
-  if (privilegeErrors.length > 0) {
-    return new MissingPrivilegesError(type, privilegeErrors);
-  }
-
-  return null;
-}
diff --git a/src/channel.ts b/src/channel.ts
index eee06925..e906f4e4 100644
--- a/src/channel.ts
+++ b/src/channel.ts
@@ -7,7 +7,6 @@ import { ShopwareMessageTypePrivileges } from './privileges';
 import MissingPrivilegesError from './privileges/missing-privileges-error';
 import SerializerFactory from './_internals/serializer';
 import createError from './_internals/error-handling/error-factory';
-import validate from './_internals/validator/index';
 import type { datasetRegistration } from './data';
 import { selectData } from './data/_internals/selectData';
 import sdkVersion from './_internals/sdkVersion';
@@ -126,47 +125,7 @@ export function send<MESSAGE_TYPE extends keyof ShopwareMessageTypes>(
     _callbackId: callbackId,
   };
 
-  let serializedData = serialize(messageData) as ShopwareMessageSendData<MESSAGE_TYPE>;
-
-  // Validate if send value contains entity data where the app has no privileges for
-  if (_origin) {
-    const validationErrors = validate({
-      serializedData: serializedData,
-      origin: _origin,
-      privilegesToCheck: ['read'],
-      type: type,
-    });
-
-    if (validationErrors) {
-      // Datasets need the id for matching the response
-      if ([
-        'datasetSubscribe',
-        'datasetUpdate',
-        'datasetRegistration',
-        'datasetGet',
-      ].includes(serializedData._type)) {
-        serializedData = serialize({
-          _type: serializedData._type,
-          _callbackId: serializedData._callbackId,
-          _data: {
-            // @ts-expect-error - We know with the includes that it has an ID
-            // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
-            id: serializedData._data.id,
-            data: validationErrors,
-          },
-        }) as ShopwareMessageSendData<MESSAGE_TYPE>;
-      }
-      // Everything else can overwrite the response
-      else {
-        serializedData = serialize({
-          _type: serializedData._type,
-          _callbackId: serializedData._callbackId,
-          _data: validationErrors,
-        }) as ShopwareMessageSendData<MESSAGE_TYPE>;
-      }
-
-    }
-  }
+  const serializedData = serialize(messageData) as ShopwareMessageSendData<MESSAGE_TYPE>;
 
   // Convert message data to string for message sending
   const message = JSON.stringify(serializedData);
@@ -315,21 +274,6 @@ export function handle<MESSAGE_TYPE extends keyof ShopwareMessageTypes>
 
     // eslint-disable-next-line @typescript-eslint/explicit-function-return-type
     const responseValue = await Promise.resolve((() => {
-      /*
-       * Validate incoming handle messages for privileges
-       * in Entity and Entity Collection
-       */
-      const validationErrors = validate({
-        serializedData: shopwareMessageData,
-        origin: event.origin,
-        type: type,
-        privilegesToCheck: ['create', 'delete', 'update', 'read'],
-      });
-
-      if (validationErrors) {
-        return validationErrors;
-      }
-
       // eslint-disable-next-line @typescript-eslint/no-unsafe-return
       return method(
         deserializedMessageData._data,
@@ -345,23 +289,7 @@ export function handle<MESSAGE_TYPE extends keyof ShopwareMessageTypes>
 
     // Replace methods etc. so that they are working in JSON format
     const serializedResponseMessage = ((): ShopwareMessageResponseData<MESSAGE_TYPE> => {
-      let serializedMessage = serialize(responseMessage) as ShopwareMessageResponseData<MESSAGE_TYPE>;
-
-      // Validate if response value contains entity data where the app has no privileges for
-      const validationErrors = validate({
-        serializedData: serializedMessage,
-        origin: event.origin,
-        privilegesToCheck: ['read'],
-        type: type,
-      });
-
-      if (validationErrors) {
-        // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
-        serializedMessage._response = validationErrors;
-        serializedMessage = serialize(serializedMessage) as ShopwareMessageResponseData<MESSAGE_TYPE>;
-      }
-
-      return serializedMessage;
+      return serialize(responseMessage) as ShopwareMessageResponseData<MESSAGE_TYPE>;
     })();
 
     const stringifiedResponseMessage = JSON.stringify(serializedResponseMessage);