fix: disable FLP for import/process Lambda function (#3697)

webiny · Nov 13, 2023 · 0c2b5da · 0c2b5da
1 parent 77ee10c
commit 0c2b5da
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 12 deletions.
diff --git a/apps/api/pageBuilder/import/process/src/index.ts b/apps/api/pageBuilder/import/process/src/index.ts
@@ -54,7 +54,7 @@ export const handler = createHandler({
                 locale
             };
         }),
-        createAco(),
+        createAco({ useFolderLevelPermissions: false }),
         createFileManagerContext({
             storageOperations: createFileManagerStorageOperations({ documentClient })
         }),

diff --git a/packages/api-aco/src/createAcoContext.ts b/packages/api-aco/src/createAcoContext.ts
@@ -18,7 +18,14 @@ import { createOperationsWrapper } from "~/utils/createOperationsWrapper";
 import { getFolderFieldValues } from "~/utils/getFieldValues";
 import { createFilterCrudMethods } from "~/filter/filter.crud";
 
-const setupAcoContext = async (context: AcoContext): Promise<void> => {
+interface CreateAcoContextParams {
+    useFolderLevelPermissions?: boolean;
+}
+
+const setupAcoContext = async (
+    context: AcoContext,
+    setupAcoContextParams: CreateAcoContextParams
+): Promise<void> => {
     const { tenancy, security, i18n } = context;
 
     const getLocale = (): I18NLocale => {
@@ -97,7 +104,14 @@ const setupAcoContext = async (context: AcoContext): Promise<void> => {
             });
         },
         canUseTeams: () => context.wcp.canUseTeams(),
-        canUseFolderLevelPermissions: () => context.wcp.canUseFolderLevelPermissions()
+        canUseFolderLevelPermissions: () => {
+            if (setupAcoContextParams.useFolderLevelPermissions === false) {
+                return false;
+            }
+
+            return context.wcp.canUseFolderLevelPermissions();
+        },
+        isAuthorizationEnabled: () => context.security.isAuthorizationEnabled()
     });
 
     const params: CreateAcoParams = {
@@ -166,7 +180,7 @@ const setupAcoContext = async (context: AcoContext): Promise<void> => {
     }
 };
 
-export const createAcoContext = () => {
+export const createAcoContext = (params: CreateAcoContextParams = {}) => {
     const plugin = new ContextPlugin<AcoContext>(async context => {
         /**
          * We can skip the ACO initialization if the installation is pending.
@@ -175,7 +189,7 @@ export const createAcoContext = () => {
             return;
         }
         await context.benchmark.measure("aco.context.setup", async () => {
-            await setupAcoContext(context);
+            await setupAcoContext(context, params);
         });
 
         await context.benchmark.measure("aco.context.hooks", async () => {

diff --git a/packages/api-aco/src/index.ts b/packages/api-aco/src/index.ts
@@ -8,6 +8,10 @@ export { FILTER_MODEL_ID } from "./filter/filter.model";
 export * from "./apps";
 export * from "./plugins";
 
-export const createAco = () => {
-    return [...createFields(), createAcoContext(), ...createAcoGraphQL()];
+export interface CreateAcoParams {
+    useFolderLevelPermissions?: boolean;
+}
+
+export const createAco = (params: CreateAcoParams) => {
+    return [...createFields(), createAcoContext(params), ...createAcoGraphQL()];
 };
diff --git a/packages/api-aco/src/utils/FolderLevelPermissions.ts b/packages/api-aco/src/utils/FolderLevelPermissions.ts
@@ -51,6 +51,7 @@ export interface FolderLevelPermissionsParams {
     listAllFolders: (folderType: string) => Promise<Folder[]>;
     canUseTeams: () => boolean;
     canUseFolderLevelPermissions: () => boolean;
+    isAuthorizationEnabled: () => boolean;
 }
 
 export class FolderLevelPermissions {
@@ -60,6 +61,7 @@ export class FolderLevelPermissions {
     private readonly listAllFoldersCallback: (folderType: string) => Promise<Folder[]>;
     private readonly canUseTeams: () => boolean;
     private readonly canUseFolderLevelPermissions: () => boolean;
+    private readonly isAuthorizationEnabled: () => boolean;
     private allFolders: Record<string, Folder[]> = {};
 
     constructor(params: FolderLevelPermissionsParams) {
@@ -69,6 +71,16 @@ export class FolderLevelPermissions {
         this.listAllFoldersCallback = params.listAllFolders;
         this.canUseTeams = params.canUseTeams;
         this.canUseFolderLevelPermissions = params.canUseFolderLevelPermissions;
+
+        this.isAuthorizationEnabled = params.isAuthorizationEnabled;
+
+        // TODO: resolve this issue.
+        // We immediately enable authorization, because, at the moment, the rest of the system
+        // requires us to have FLP always enabled. We must now disable it, even if the security's
+        // `isAuthorizationEnabled` is set to false. To resolve this, we'll need to refactor CMS-based
+        // CRUD files and have them use CMS storage operations instead of CMS CRUD methods.
+        // We'll be handling this in the near future.
+        this.isAuthorizationEnabled = () => true;
     }
 
     async listAllFolders(folderType: string): Promise<Folder[]> {
@@ -107,7 +119,7 @@ export class FolderLevelPermissions {
     async listFoldersPermissions(
         params: ListFolderPermissionsParams
     ): Promise<FolderPermissionsList> {
-        if (!this.canUseFolderLevelPermissions()) {
+        if (!this.canUseFolderLevelPermissions() || !this.isAuthorizationEnabled()) {
             return [];
         }
 
@@ -275,7 +287,7 @@ export class FolderLevelPermissions {
     }
 
     async canAccessFolder(params: CanAccessFolderParams) {
-        if (!this.canUseFolderLevelPermissions()) {
+        if (!this.canUseFolderLevelPermissions() || !this.isAuthorizationEnabled()) {
             return true;
         }
 
@@ -343,27 +355,31 @@ export class FolderLevelPermissions {
             return false;
         }
 
+        if (!this.isAuthorizationEnabled()) {
+            return true;
+        }
+
         return this.canAccessFolder({ folder, rwd: "w", managePermissions: true });
     }
 
     canManageFolderStructure(folder: Folder) {
-        if (!this.canUseFolderLevelPermissions()) {
+        if (!this.canUseFolderLevelPermissions() || !this.isAuthorizationEnabled()) {
             return true;
         }
 
         return this.canAccessFolder({ folder, rwd: "w" });
     }
 
     canManageFolderContent(folder: Folder) {
-        if (!this.canUseFolderLevelPermissions()) {
+        if (!this.canUseFolderLevelPermissions() || !this.isAuthorizationEnabled()) {
             return true;
         }
 
         return this.canAccessFolderContent({ folder, rwd: "w" });
     }
 
     async canAccessFolderContent(params: CanAccessFolderContentParams) {
-        if (!this.canUseFolderLevelPermissions()) {
+        if (!this.canUseFolderLevelPermissions() || !this.isAuthorizationEnabled()) {
             return true;
         }
 

diff --git a/packages/api-page-builder-import-export/src/import/utils/uploadAssets.ts b/packages/api-page-builder-import-export/src/import/utils/uploadAssets.ts
@@ -74,6 +74,9 @@ export const uploadAssets = async (params: UploadAssetsParams) => {
         const newFile: FileInput = {
             ...toImport,
             id,
+            location: {
+                folderId: "root"
+            },
             key: newKey,
             meta: { ...toImport.meta, originalKey: toImport.key }
         };