refactor(cloud): add validation to prevent access to shared resources

apps/dokploy/components/dashboard/settings/git/github/add-github-provider.tsx

@@ -17,7 +17,6 @@ import { useEffect, useState } from "react";
 
 export const AddGithubProvider = () => {
 	const [isOpen, setIsOpen] = useState(false);
-	const url = useUrl();
 	const { data } = api.auth.get.useQuery();
 	const [manifest, setManifest] = useState("");
 	const [isOrganization, setIsOrganization] = useState(false);

apps/dokploy/server/api/routers/git-provider.ts

@@ -2,11 +2,11 @@ import { createTRPCRouter, protectedProcedure } from "@/server/api/trpc";
 import { db } from "@/server/db";
 import { apiRemoveGitProvider, gitProvider } from "@/server/db/schema";
 import { TRPCError } from "@trpc/server";
-import { desc } from "drizzle-orm";
+import { desc, eq } from "drizzle-orm";
-import { removeGitProvider } from "@dokploy/builders";
+import { findGitProviderById, removeGitProvider } from "@dokploy/builders";
 
 export const gitProviderRouter = createTRPCRouter({
-	getAll: protectedProcedure.query(async () => {
+	getAll: protectedProcedure.query(async ({ ctx }) => {
 		return await db.query.gitProvider.findMany({
 			with: {
 				gitlab: true,
@@ -14,12 +14,21 @@ export const gitProviderRouter = createTRPCRouter({
 				github: true,
 			},
 			orderBy: desc(gitProvider.createdAt),
+			// where: eq(gitProvider.adminId, ctx.user.adminId), //TODO: Remove this line when the cloud version is ready
 		});
 	}),
 	remove: protectedProcedure
 		.input(apiRemoveGitProvider)
-		.mutation(async ({ input }) => {
+		.mutation(async ({ input, ctx }) => {
 			try {
+				const gitProvider = await findGitProviderById(input.gitProviderId);
+
+				// if (gitProvider.adminId !== ctx.user.adminId) {
+				// 	throw new TRPCError({
+				// 		code: "UNAUTHORIZED",
+				// 		message: "You are not allowed to delete this git provider",
+				// 	});
+				// }
 				return await removeGitProvider(input.gitProviderId);
 			} catch (error) {
 				throw new TRPCError({

apps/dokploy/server/api/routers/registry.ts

@@ -13,10 +13,11 @@ import {
 	execAsync,
 	manageRegistry,
 	createRegistry,
-	findAllRegistry,
+	findAllRegistryByAdminId,
 	findRegistryById,
 	removeRegistry,
 	updateRegistry,
+	IS_CLOUD,
 } from "@dokploy/builders";
 import { adminProcedure, createTRPCRouter, protectedProcedure } from "../trpc";
 
@@ -24,17 +25,31 @@ export const registryRouter = createTRPCRouter({
 	create: adminProcedure
 		.input(apiCreateRegistry)
 		.mutation(async ({ ctx, input }) => {
-			return await createRegistry(input);
+			return await createRegistry(input, ctx.user.adminId);
 		}),
 	remove: adminProcedure
 		.input(apiRemoveRegistry)
 		.mutation(async ({ ctx, input }) => {
+			const registry = await findRegistryById(input.registryId);
+			if (registry.adminId !== ctx.user.adminId) {
+				throw new TRPCError({
+					code: "UNAUTHORIZED",
+					message: "You are not allowed to delete this registry",
+				});
+			}
 			return await removeRegistry(input.registryId);
 		}),
 	update: protectedProcedure
 		.input(apiUpdateRegistry)
-		.mutation(async ({ input }) => {
+		.mutation(async ({ input, ctx }) => {
 			const { registryId, ...rest } = input;
+			const registry = await findRegistryById(registryId);
+			if (registry.adminId !== ctx.user.adminId) {
+				throw new TRPCError({
+					code: "UNAUTHORIZED",
+					message: "You are not allowed to update this registry",
+				});
+			}
 			const application = await updateRegistry(registryId, {
 				...rest,
 			});
@@ -48,12 +63,21 @@ export const registryRouter = createTRPCRouter({
 
 			return true;
 		}),
-	all: protectedProcedure.query(async () => {
+	all: protectedProcedure.query(async ({ ctx }) => {
-		return await findAllRegistry();
+		return await findAllRegistryByAdminId(ctx.user.adminId);
-	}),
-	one: adminProcedure.input(apiFindOneRegistry).query(async ({ input }) => {
-		return await findRegistryById(input.registryId);
 	}),
+	one: adminProcedure
+		.input(apiFindOneRegistry)
+		.query(async ({ input, ctx }) => {
+			const registry = await findRegistryById(input.registryId);
+			if (registry.adminId !== ctx.user.adminId) {
+				throw new TRPCError({
+					code: "UNAUTHORIZED",
+					message: "You are not allowed to access this registry",
+				});
+			}
+			return registry;
+		}),
 	testRegistry: protectedProcedure
 		.input(apiTestRegistry)
 		.mutation(async ({ input }) => {
@@ -75,18 +99,27 @@ export const registryRouter = createTRPCRouter({
 
 	enableSelfHostedRegistry: adminProcedure
 		.input(apiEnableSelfHostedRegistry)
-		.mutation(async ({ input }) => {
+		.mutation(async ({ input, ctx }) => {
-			const selfHostedRegistry = await createRegistry({
+			if (IS_CLOUD) {
-				...input,
+				throw new TRPCError({
-				registryName: "Self Hosted Registry",
+					code: "UNAUTHORIZED",
-				registryType: "selfHosted",
+					message: "Self Hosted Registry is not available in the cloud version",
-				registryUrl:
+				});
-					process.env.NODE_ENV === "production"
+			}
-						? input.registryUrl
+			const selfHostedRegistry = await createRegistry(
-						: "dokploy-registry.docker.localhost",
+				{
-				imagePrefix: null,
+					...input,
-				serverId: undefined,
+					registryName: "Self Hosted Registry",
-			});
+					registryType: "selfHosted",
+					registryUrl:
+						process.env.NODE_ENV === "production"
+							? input.registryUrl
+							: "dokploy-registry.docker.localhost",
+					imagePrefix: null,
+					serverId: undefined,
+				},
+				ctx.user.adminId,
+			);
 
 			await manageRegistry(selfHostedRegistry);
 			await initializeRegistry(input.username, input.password);
@@ -94,17 +127,3 @@ export const registryRouter = createTRPCRouter({
 			return selfHostedRegistry;
 		}),
 });
-
-const shellEscape = (str: string) => {
-	const ret = [];
-	let s = str;
-	if (/[^A-Za-z0-9_\/:=-]/.test(s)) {
-		s = `'${s.replace(/'/g, "'\\''")}'`;
-		s = s
-			.replace(/^(?:'')+/g, "") // unduplicate single-quote at the beginning
-			.replace(/\\'''/g, "\\'"); // remove non-escaped single-quote if there are enclosed between 2 escaped
-	}
-	ret.push(s);
-
-	return ret.join(" ");
-};