From 7c4987d84dd040e77c1c61d8d1a4e6a74b50cd18 Mon Sep 17 00:00:00 2001 From: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com> Date: Fri, 4 Oct 2024 20:44:57 -0600 Subject: [PATCH] refactor(cloud): add validation to prevent access to shared resources --- .../git/github/add-github-provider.tsx | 1 - .../components/layouts/navigation-tabs.tsx | 67 ++++++++------- .../components/layouts/settings-layout.tsx | 16 ++-- apps/dokploy/pages/api/deploy/github.ts | 2 +- .../pages/api/providers/github/setup.ts | 40 ++++++--- apps/dokploy/server/api/routers/auth.ts | 2 +- apps/dokploy/server/api/routers/bitbucket.ts | 79 ++++++++++++++++-- .../server/api/routers/git-provider.ts | 22 +++-- apps/dokploy/server/api/routers/github.ts | 71 ++++++++++++---- apps/dokploy/server/api/routers/gitlab.ts | 69 ++++++++++++++-- .../server/api/routers/notification.ts | 82 ++++++++++--------- apps/dokploy/server/api/routers/settings.ts | 7 +- apps/dokploy/server/api/routers/ssh-key.ts | 40 +++++---- packages/builders/src/db/schema/github.ts | 1 - 14 files changed, 353 insertions(+), 146 deletions(-) diff --git a/apps/dokploy/components/dashboard/settings/git/github/add-github-provider.tsx b/apps/dokploy/components/dashboard/settings/git/github/add-github-provider.tsx index ffab42f4..58cc8723 100644 --- a/apps/dokploy/components/dashboard/settings/git/github/add-github-provider.tsx +++ b/apps/dokploy/components/dashboard/settings/git/github/add-github-provider.tsx @@ -11,7 +11,6 @@ import { import { Input } from "@/components/ui/input"; import { Switch } from "@/components/ui/switch"; import { api } from "@/utils/api"; -import { useUrl } from "@/utils/hooks/use-url"; import { format } from "date-fns"; import { useEffect, useState } from "react"; diff --git a/apps/dokploy/components/layouts/navigation-tabs.tsx b/apps/dokploy/components/layouts/navigation-tabs.tsx index b7d5bb39..9d6266c8 100644 --- a/apps/dokploy/components/layouts/navigation-tabs.tsx +++ b/apps/dokploy/components/layouts/navigation-tabs.tsx @@ -11,6 +11,7 @@ interface TabInfo { tabLabel?: string; description: string; index: string; + type: TabState; isShow?: ({ rol, user }: { rol?: Auth["rol"]; user?: User }) => boolean; } @@ -23,19 +24,24 @@ export type TabState = | "docker"; const getTabMaps = (isCloud: boolean) => { - const tabMap: Record = { - projects: { + const elements: TabInfo[] = [ + { label: "Projects", description: "Manage your projects", index: "/dashboard/projects", + type: "projects", }, - ...(!isCloud && { - monitoring: { + ]; + + if (!isCloud) { + elements.push( + { label: "Monitoring", description: "Monitor your projects", index: "/dashboard/monitoring", + type: "monitoring", }, - traefik: { + { label: "Traefik", tabLabel: "Traefik File System", description: "Manage your traefik", @@ -43,35 +49,39 @@ const getTabMaps = (isCloud: boolean) => { isShow: ({ rol, user }) => { return Boolean(rol === "admin" || user?.canAccessToTraefikFiles); }, + type: "traefik", }, - docker: { + { label: "Docker", description: "Manage your docker", index: "/dashboard/docker", isShow: ({ rol, user }) => { return Boolean(rol === "admin" || user?.canAccessToDocker); }, + type: "docker", }, - requests: { + { label: "Requests", description: "Manage your requests", index: "/dashboard/requests", isShow: ({ rol, user }) => { return Boolean(rol === "admin" || user?.canAccessToDocker); }, + type: "requests", }, - }), + ); + } - settings: { - label: "Settings", - description: "Manage your settings", - index: isCloud - ? "/dashboard/settings/profile" - : "/dashboard/settings/server", - }, - }; + elements.push({ + label: "Settings", + description: "Manage your settings", + type: "settings", + index: isCloud + ? "/dashboard/settings/profile" + : "/dashboard/settings/server", + }); - return tabMap; + return elements; }; interface Props { @@ -99,7 +109,7 @@ export const NavigationTabs = ({ tab, children }: Props) => { }, [tab]); const activeTabInfo = useMemo(() => { - return tabMap[activeTab]; + return tabMap.find((tab) => tab.type === activeTab); }, [activeTab]); return ( @@ -107,10 +117,10 @@ export const NavigationTabs = ({ tab, children }: Props) => {

- {activeTabInfo.label} + {activeTabInfo?.label}

- {activeTabInfo.description} + {activeTabInfo?.description}

{tab === "projects" && @@ -122,27 +132,26 @@ export const NavigationTabs = ({ tab, children }: Props) => { className="w-full" onValueChange={async (e) => { setActiveTab(e as TabState); - router.push(tabMap[e as TabState].index); + const tab = tabMap.find((tab) => tab.type === e); + router.push(tab?.index || ""); }} > - {/* className="grid w-fit grid-cols-4 bg-transparent" */}
- {Object.keys(tabMap).map((key) => { - const tab = tabMap[key as TabState]; - if (tab.isShow && !tab.isShow?.({ rol: data?.rol, user })) { + {tabMap.map((tab, index) => { + if (tab?.isShow && !tab?.isShow?.({ rol: data?.rol, user })) { return null; } return ( - {tab.tabLabel || tab.label} + {tab?.tabLabel || tab?.label} - {key === activeTab && ( + {tab.type === activeTab && (
diff --git a/apps/dokploy/components/layouts/settings-layout.tsx b/apps/dokploy/components/layouts/settings-layout.tsx index 16f8e690..e1b4463d 100644 --- a/apps/dokploy/components/layouts/settings-layout.tsx +++ b/apps/dokploy/components/layouts/settings-layout.tsx @@ -48,12 +48,16 @@ export const SettingsLayout = ({ children }: Props) => { icon: Database, href: "/dashboard/settings/destinations", }, - { - title: "Certificates", - label: "", - icon: ShieldCheck, - href: "/dashboard/settings/certificates", - }, + ...(!isCloud + ? [ + { + title: "Certificates", + label: "", + icon: ShieldCheck, + href: "/dashboard/settings/certificates", + }, + ] + : []), { title: "SSH Keys", label: "", diff --git a/apps/dokploy/pages/api/deploy/github.ts b/apps/dokploy/pages/api/deploy/github.ts index c711e093..73c1bdb5 100644 --- a/apps/dokploy/pages/api/deploy/github.ts +++ b/apps/dokploy/pages/api/deploy/github.ts @@ -23,7 +23,7 @@ export default async function handler( const signature = req.headers["x-hub-signature-256"]; const githubBody = req.body; - if (!githubBody?.installation.id) { + if (!githubBody?.installation?.id) { res.status(400).json({ message: "Github Installation not found" }); return; } diff --git a/apps/dokploy/pages/api/providers/github/setup.ts b/apps/dokploy/pages/api/providers/github/setup.ts index fca11f9b..5608f0db 100644 --- a/apps/dokploy/pages/api/providers/github/setup.ts +++ b/apps/dokploy/pages/api/providers/github/setup.ts @@ -1,4 +1,9 @@ -import { createGithub } from "@dokploy/builders"; +import { + createGithub, + findAdminByAuthId, + findAuthById, + findUserByAuthId, +} from "@dokploy/builders"; import { db } from "@/server/db"; import { github } from "@/server/db/schema"; import { eq } from "drizzle-orm"; @@ -34,16 +39,29 @@ export default async function handler( }, ); - await createGithub({ - name: data.name, - githubAppName: data.html_url, - githubAppId: data.id, - githubClientId: data.client_id, - githubClientSecret: data.client_secret, - githubWebhookSecret: data.webhook_secret, - githubPrivateKey: data.pem, - authId: value as string, - }); + const auth = await findAuthById(value as string); + + let adminId = ""; + if (auth.rol === "admin") { + const admin = await findAdminByAuthId(auth.id); + adminId = admin.adminId; + } else { + const user = await findUserByAuthId(auth.id); + adminId = user.adminId; + } + + await createGithub( + { + name: data.name, + githubAppName: data.html_url, + githubAppId: data.id, + githubClientId: data.client_id, + githubClientSecret: data.client_secret, + githubWebhookSecret: data.webhook_secret, + githubPrivateKey: data.pem, + }, + adminId, + ); } else if (action === "gh_setup") { await db .update(github) diff --git a/apps/dokploy/server/api/routers/auth.ts b/apps/dokploy/server/api/routers/auth.ts index 3d7b1afa..5964b17e 100644 --- a/apps/dokploy/server/api/routers/auth.ts +++ b/apps/dokploy/server/api/routers/auth.ts @@ -220,7 +220,7 @@ export const authRouter = createTRPCRouter({ lucia.createSessionCookie(session.id).serialize(), ); - return auth; + return true; }), disable2FA: protectedProcedure.mutation(async ({ ctx }) => { const auth = await findAuthById(ctx.user.authId); diff --git a/apps/dokploy/server/api/routers/bitbucket.ts b/apps/dokploy/server/api/routers/bitbucket.ts index 40eb14d9..bae9e58c 100644 --- a/apps/dokploy/server/api/routers/bitbucket.ts +++ b/apps/dokploy/server/api/routers/bitbucket.ts @@ -14,6 +14,7 @@ import { createBitbucket, findBitbucketById, updateBitbucket, + IS_CLOUD, } from "@dokploy/builders"; import { TRPCError } from "@trpc/server"; @@ -33,11 +34,22 @@ export const bitbucketRouter = createTRPCRouter({ }), one: protectedProcedure .input(apiFindOneBitbucket) - .query(async ({ input }) => { - return await findBitbucketById(input.bitbucketId); + .query(async ({ input, ctx }) => { + const bitbucketProvider = await findBitbucketById(input.bitbucketId); + if ( + IS_CLOUD && + bitbucketProvider.gitProvider.adminId !== ctx.user.adminId + ) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this bitbucket provider", + }); + } + return bitbucketProvider; }), - bitbucketProviders: protectedProcedure.query(async () => { - const result = await db.query.bitbucket.findMany({ + bitbucketProviders: protectedProcedure.query(async ({ ctx }) => { + let result = await db.query.bitbucket.findMany({ with: { gitProvider: true, }, @@ -45,23 +57,65 @@ export const bitbucketRouter = createTRPCRouter({ bitbucketId: true, }, }); + + if (IS_CLOUD) { + // TODO: mAyBe a rEfaCtoR 🤫 + result = result.filter( + (provider) => provider.gitProvider.adminId === ctx.user.adminId, + ); + } return result; }), getBitbucketRepositories: protectedProcedure .input(apiFindOneBitbucket) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + const bitbucketProvider = await findBitbucketById(input.bitbucketId); + if ( + IS_CLOUD && + bitbucketProvider.gitProvider.adminId !== ctx.user.adminId + ) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this bitbucket provider", + }); + } return await getBitbucketRepositories(input.bitbucketId); }), getBitbucketBranches: protectedProcedure .input(apiFindBitbucketBranches) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + const bitbucketProvider = await findBitbucketById( + input.bitbucketId || "", + ); + if ( + IS_CLOUD && + bitbucketProvider.gitProvider.adminId !== ctx.user.adminId + ) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this bitbucket provider", + }); + } return await getBitbucketBranches(input); }), testConnection: protectedProcedure .input(apiBitbucketTestConnection) - .mutation(async ({ input }) => { + .mutation(async ({ input, ctx }) => { try { + const bitbucketProvider = await findBitbucketById(input.bitbucketId); + if ( + IS_CLOUD && + bitbucketProvider.gitProvider.adminId !== ctx.user.adminId + ) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this bitbucket provider", + }); + } const result = await testBitbucketConnection(input); return `Found ${result} repositories`; @@ -75,6 +129,17 @@ export const bitbucketRouter = createTRPCRouter({ update: protectedProcedure .input(apiUpdateBitbucket) .mutation(async ({ input, ctx }) => { + const bitbucketProvider = await findBitbucketById(input.bitbucketId); + if ( + IS_CLOUD && + bitbucketProvider.gitProvider.adminId !== ctx.user.adminId + ) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this bitbucket provider", + }); + } return await updateBitbucket(input.bitbucketId, { ...input, adminId: ctx.user.adminId, diff --git a/apps/dokploy/server/api/routers/git-provider.ts b/apps/dokploy/server/api/routers/git-provider.ts index 105c59c9..996509a1 100644 --- a/apps/dokploy/server/api/routers/git-provider.ts +++ b/apps/dokploy/server/api/routers/git-provider.ts @@ -3,7 +3,11 @@ import { db } from "@/server/db"; import { apiRemoveGitProvider, gitProvider } from "@/server/db/schema"; import { TRPCError } from "@trpc/server"; import { desc, eq } from "drizzle-orm"; -import { findGitProviderById, removeGitProvider } from "@dokploy/builders"; +import { + findGitProviderById, + IS_CLOUD, + removeGitProvider, +} from "@dokploy/builders"; export const gitProviderRouter = createTRPCRouter({ getAll: protectedProcedure.query(async ({ ctx }) => { @@ -14,7 +18,8 @@ export const gitProviderRouter = createTRPCRouter({ github: true, }, orderBy: desc(gitProvider.createdAt), - // where: eq(gitProvider.adminId, ctx.user.adminId), //TODO: Remove this line when the cloud version is ready + ...(IS_CLOUD && { where: eq(gitProvider.adminId, ctx.user.adminId) }), + //TODO: Remove this line when the cloud version is ready }); }), remove: protectedProcedure @@ -23,12 +28,13 @@ export const gitProviderRouter = createTRPCRouter({ try { const gitProvider = await findGitProviderById(input.gitProviderId); - // if (gitProvider.adminId !== ctx.user.adminId) { - // throw new TRPCError({ - // code: "UNAUTHORIZED", - // message: "You are not allowed to delete this git provider", - // }); - // } + if (IS_CLOUD && gitProvider.adminId !== ctx.user.adminId) { + // TODO: Remove isCloud in the next versions of dokploy + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to delete this git provider", + }); + } return await removeGitProvider(input.gitProviderId); } catch (error) { throw new TRPCError({ diff --git a/apps/dokploy/server/api/routers/github.ts b/apps/dokploy/server/api/routers/github.ts index dcd40487..ead651f4 100644 --- a/apps/dokploy/server/api/routers/github.ts +++ b/apps/dokploy/server/api/routers/github.ts @@ -12,6 +12,7 @@ import { findGithubById, haveGithubRequirements, updateGitProvider, + IS_CLOUD, } from "@dokploy/builders"; export const githubRouter = createTRPCRouter({ @@ -19,31 +20,55 @@ export const githubRouter = createTRPCRouter({ .input(apiFindOneGithub) .query(async ({ input, ctx }) => { const githubProvider = await findGithubById(input.githubId); - // if (githubProvider.gitProvider.adminId !== ctx.user.adminId) { //TODO: Remove this line when the cloud version is ready - // throw new TRPCError({ - // code: "UNAUTHORIZED", - // message: "You are not allowed to access this github provider", - // }); - // } + if (IS_CLOUD && githubProvider.gitProvider.adminId !== ctx.user.adminId) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this github provider", + }); + } return githubProvider; }), getGithubRepositories: protectedProcedure .input(apiFindOneGithub) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + const githubProvider = await findGithubById(input.githubId); + if (IS_CLOUD && githubProvider.gitProvider.adminId !== ctx.user.adminId) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this github provider", + }); + } return await getGithubRepositories(input.githubId); }), getGithubBranches: protectedProcedure .input(apiFindGithubBranches) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + const githubProvider = await findGithubById(input.githubId || ""); + if (IS_CLOUD && githubProvider.gitProvider.adminId !== ctx.user.adminId) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this github provider", + }); + } return await getGithubBranches(input); }), - githubProviders: protectedProcedure.query(async () => { - const result = await db.query.github.findMany({ + githubProviders: protectedProcedure.query(async ({ ctx }) => { + let result = await db.query.github.findMany({ with: { gitProvider: true, }, }); + if (IS_CLOUD) { + // TODO: mAyBe a rEfaCtoR 🤫 + result = result.filter( + (provider) => provider.gitProvider.adminId === ctx.user.adminId, + ); + } + const filtered = result .filter((provider) => haveGithubRequirements(provider)) .map((provider) => { @@ -60,8 +85,19 @@ export const githubRouter = createTRPCRouter({ testConnection: protectedProcedure .input(apiFindOneGithub) - .mutation(async ({ input }) => { + .mutation(async ({ input, ctx }) => { try { + const githubProvider = await findGithubById(input.githubId); + if ( + IS_CLOUD && + githubProvider.gitProvider.adminId !== ctx.user.adminId + ) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this github provider", + }); + } const result = await getGithubRepositories(input.githubId); return `Found ${result.length} repositories`; } catch (err) { @@ -75,12 +111,13 @@ export const githubRouter = createTRPCRouter({ .input(apiUpdateGithub) .mutation(async ({ input, ctx }) => { const githubProvider = await findGithubById(input.githubId); - // if (githubProvider.gitProvider.adminId !== ctx.user.adminId) { //TODO: Remove this line when the cloud version is ready - // throw new TRPCError({ - // code: "UNAUTHORIZED", - // message: "You are not allowed to access this github provider", - // }); - // } + if (IS_CLOUD && githubProvider.gitProvider.adminId !== ctx.user.adminId) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this github provider", + }); + } await updateGitProvider(input.gitProviderId, { name: input.name, adminId: ctx.user.adminId, diff --git a/apps/dokploy/server/api/routers/gitlab.ts b/apps/dokploy/server/api/routers/gitlab.ts index 940342a4..dd436f31 100644 --- a/apps/dokploy/server/api/routers/gitlab.ts +++ b/apps/dokploy/server/api/routers/gitlab.ts @@ -18,6 +18,7 @@ import { findGitlabById, updateGitlab, updateGitProvider, + IS_CLOUD, } from "@dokploy/builders"; export const gitlabRouter = createTRPCRouter({ @@ -34,15 +35,32 @@ export const gitlabRouter = createTRPCRouter({ }); } }), - one: protectedProcedure.input(apiFindOneGitlab).query(async ({ input }) => { - return await findGitlabById(input.gitlabId); - }), - gitlabProviders: protectedProcedure.query(async () => { - const result = await db.query.gitlab.findMany({ + one: protectedProcedure + .input(apiFindOneGitlab) + .query(async ({ input, ctx }) => { + const gitlabProvider = await findGitlabById(input.gitlabId); + if (IS_CLOUD && gitlabProvider.gitProvider.adminId !== ctx.user.adminId) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this gitlab provider", + }); + } + return gitlabProvider; + }), + gitlabProviders: protectedProcedure.query(async ({ ctx }) => { + let result = await db.query.gitlab.findMany({ with: { gitProvider: true, }, }); + + if (IS_CLOUD) { + // TODO: mAyBe a rEfaCtoR 🤫 + result = result.filter( + (provider) => provider.gitProvider.adminId === ctx.user.adminId, + ); + } const filtered = result .filter((provider) => haveGitlabRequirements(provider)) .map((provider) => { @@ -58,19 +76,46 @@ export const gitlabRouter = createTRPCRouter({ }), getGitlabRepositories: protectedProcedure .input(apiFindOneGitlab) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + const gitlabProvider = await findGitlabById(input.gitlabId); + if (IS_CLOUD && gitlabProvider.gitProvider.adminId !== ctx.user.adminId) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this gitlab provider", + }); + } return await getGitlabRepositories(input.gitlabId); }), getGitlabBranches: protectedProcedure .input(apiFindGitlabBranches) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + const gitlabProvider = await findGitlabById(input.gitlabId || ""); + if (IS_CLOUD && gitlabProvider.gitProvider.adminId !== ctx.user.adminId) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this gitlab provider", + }); + } return await getGitlabBranches(input); }), testConnection: protectedProcedure .input(apiGitlabTestConnection) - .mutation(async ({ input }) => { + .mutation(async ({ input, ctx }) => { try { + const gitlabProvider = await findGitlabById(input.gitlabId || ""); + if ( + IS_CLOUD && + gitlabProvider.gitProvider.adminId !== ctx.user.adminId + ) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this gitlab provider", + }); + } const result = await testGitlabConnection(input); return `Found ${result} repositories`; @@ -84,6 +129,14 @@ export const gitlabRouter = createTRPCRouter({ update: protectedProcedure .input(apiUpdateGitlab) .mutation(async ({ input, ctx }) => { + const gitlabProvider = await findGitlabById(input.gitlabId); + if (IS_CLOUD && gitlabProvider.gitProvider.adminId !== ctx.user.adminId) { + //TODO: Remove this line when the cloud version is ready + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to access this gitlab provider", + }); + } if (input.name) { await updateGitProvider(input.gitProviderId, { name: input.name, diff --git a/apps/dokploy/server/api/routers/notification.ts b/apps/dokploy/server/api/routers/notification.ts index 6b38aefa..925b75db 100644 --- a/apps/dokploy/server/api/routers/notification.ts +++ b/apps/dokploy/server/api/routers/notification.ts @@ -37,6 +37,7 @@ import { sendEmailNotification, sendSlackNotification, sendTelegramNotification, + IS_CLOUD, } from "@dokploy/builders"; // TODO: Uncomment the validations when is cloud ready @@ -59,12 +60,13 @@ export const notificationRouter = createTRPCRouter({ .mutation(async ({ input, ctx }) => { try { const notification = await findNotificationById(input.notificationId); - // if (notification.adminId !== ctx.user.adminId) { - // throw new TRPCError({ - // code: "UNAUTHORIZED", - // message: "You are not authorized to update this notification", - // }); - // } + if (IS_CLOUD && notification.adminId !== ctx.user.adminId) { + // TODO: Remove isCloud in the next versions of dokploy + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not authorized to update this notification", + }); + } return await updateSlackNotification({ ...input, adminId: ctx.user.adminId, @@ -109,12 +111,13 @@ export const notificationRouter = createTRPCRouter({ .mutation(async ({ input, ctx }) => { try { const notification = await findNotificationById(input.notificationId); - // if (notification.adminId !== ctx.user.adminId) { - // throw new TRPCError({ - // code: "UNAUTHORIZED", - // message: "You are not authorized to update this notification", - // }); - // } + if (IS_CLOUD && notification.adminId !== ctx.user.adminId) { + // TODO: Remove isCloud in the next versions of dokploy + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not authorized to update this notification", + }); + } return await updateTelegramNotification({ ...input, adminId: ctx.user.adminId, @@ -166,12 +169,13 @@ export const notificationRouter = createTRPCRouter({ .mutation(async ({ input, ctx }) => { try { const notification = await findNotificationById(input.notificationId); - // if (notification.adminId !== ctx.user.adminId) { - // throw new TRPCError({ - // code: "UNAUTHORIZED", - // message: "You are not authorized to update this notification", - // }); - // } + if (IS_CLOUD && notification.adminId !== ctx.user.adminId) { + // TODO: Remove isCloud in the next versions of dokploy + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not authorized to update this notification", + }); + } return await updateDiscordNotification({ ...input, adminId: ctx.user.adminId, @@ -220,12 +224,13 @@ export const notificationRouter = createTRPCRouter({ .mutation(async ({ input, ctx }) => { try { const notification = await findNotificationById(input.notificationId); - // if (notification.adminId !== ctx.user.adminId) { - // throw new TRPCError({ - // code: "UNAUTHORIZED", - // message: "You are not authorized to update this notification", - // }); - // } + if (IS_CLOUD && notification.adminId !== ctx.user.adminId) { + // TODO: Remove isCloud in the next versions of dokploy + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not authorized to update this notification", + }); + } return await updateEmailNotification({ ...input, adminId: ctx.user.adminId, @@ -261,12 +266,13 @@ export const notificationRouter = createTRPCRouter({ .mutation(async ({ input, ctx }) => { try { const notification = await findNotificationById(input.notificationId); - // if (notification.adminId !== ctx.user.adminId) { - // throw new TRPCError({ - // code: "UNAUTHORIZED", - // message: "You are not authorized to delete this notification", - // }); - // } + if (IS_CLOUD && notification.adminId !== ctx.user.adminId) { + // TODO: Remove isCloud in the next versions of dokploy + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not authorized to delete this notification", + }); + } return await removeNotificationById(input.notificationId); } catch (error) { throw new TRPCError({ @@ -279,12 +285,13 @@ export const notificationRouter = createTRPCRouter({ .input(apiFindOneNotification) .query(async ({ input, ctx }) => { const notification = await findNotificationById(input.notificationId); - // if (notification.adminId !== ctx.user.adminId) { - // throw new TRPCError({ - // code: "UNAUTHORIZED", - // message: "You are not authorized to access this notification", - // }); - // } + if (IS_CLOUD && notification.adminId !== ctx.user.adminId) { + // TODO: Remove isCloud in the next versions of dokploy + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not authorized to access this notification", + }); + } return notification; }), all: adminProcedure.query(async ({ ctx }) => { @@ -296,7 +303,8 @@ export const notificationRouter = createTRPCRouter({ email: true, }, orderBy: desc(notifications.createdAt), - // where: eq(notifications.adminId, ctx.user.adminId), + ...(IS_CLOUD && { where: eq(notifications.adminId, ctx.user.adminId) }), + // TODO: Remove this line when the cloud version is ready }); }), }); diff --git a/apps/dokploy/server/api/routers/settings.ts b/apps/dokploy/server/api/routers/settings.ts index bed8deb5..a2ca281f 100644 --- a/apps/dokploy/server/api/routers/settings.ts +++ b/apps/dokploy/server/api/routers/settings.ts @@ -484,7 +484,10 @@ export const settingsRouter = createTRPCRouter({ .input(apiReadStatsLogs) .query(({ input }) => { if (IS_CLOUD) { - return true; + return { + data: [], + totalCount: 0, + }; } const rawConfig = readMonitoringConfig(); const parsedConfig = parseRawConfig( @@ -499,7 +502,7 @@ export const settingsRouter = createTRPCRouter({ }), readStats: adminProcedure.query(() => { if (IS_CLOUD) { - return true; + return []; } const rawConfig = readMonitoringConfig(); const processedLogs = processLogs(rawConfig as string); diff --git a/apps/dokploy/server/api/routers/ssh-key.ts b/apps/dokploy/server/api/routers/ssh-key.ts index 3cf3778e..19e0ac74 100644 --- a/apps/dokploy/server/api/routers/ssh-key.ts +++ b/apps/dokploy/server/api/routers/ssh-key.ts @@ -15,7 +15,9 @@ import { findSSHKeyById, removeSSHKeyById, updateSSHKeyById, + IS_CLOUD, } from "@dokploy/builders"; +import { eq } from "drizzle-orm"; export const sshRouter = createTRPCRouter({ create: protectedProcedure @@ -39,12 +41,14 @@ export const sshRouter = createTRPCRouter({ .mutation(async ({ input, ctx }) => { try { const sshKey = await findSSHKeyById(input.sshKeyId); - // if (sshKey.adminId !== ctx.user.adminId) { - // throw new TRPCError({ - // code: "UNAUTHORIZED", - // message: "You are not allowed to delete this ssh key", - // }); - // } + if (IS_CLOUD && sshKey.adminId !== ctx.user.adminId) { + // TODO: Remove isCloud in the next versions of dokploy + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to delete this ssh key", + }); + } + return await removeSSHKeyById(input.sshKeyId); } catch (error) { throw error; @@ -55,7 +59,8 @@ export const sshRouter = createTRPCRouter({ .query(async ({ input, ctx }) => { const sshKey = await findSSHKeyById(input.sshKeyId); - if (sshKey.adminId !== ctx.user.adminId) { + if (IS_CLOUD && sshKey.adminId !== ctx.user.adminId) { + // TODO: Remove isCloud in the next versions of dokploy throw new TRPCError({ code: "UNAUTHORIZED", message: "You are not allowed to access this ssh key", @@ -64,10 +69,10 @@ export const sshRouter = createTRPCRouter({ return sshKey; }), all: protectedProcedure.query(async ({ ctx }) => { - return await db.query.sshKeys.findMany({}); - // return await db.query.sshKeys.findMany({ - // where: eq(sshKeys.adminId, ctx.user.adminId), - // }); // TODO: Remove this line when the cloud version is ready + return await db.query.sshKeys.findMany({ + ...(IS_CLOUD && { where: eq(sshKeys.adminId, ctx.user.adminId) }), + }); + // TODO: Remove this line when the cloud version is ready }), generate: protectedProcedure .input(apiGenerateSSHKey) @@ -79,12 +84,13 @@ export const sshRouter = createTRPCRouter({ .mutation(async ({ input, ctx }) => { try { const sshKey = await findSSHKeyById(input.sshKeyId); - // if (sshKey.adminId !== ctx.user.adminId) { - // throw new TRPCError({ - // code: "UNAUTHORIZED", - // message: "You are not allowed to update this ssh key", - // }); - // } + if (IS_CLOUD && sshKey.adminId !== ctx.user.adminId) { + // TODO: Remove isCloud in the next versions of dokploy + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not allowed to update this ssh key", + }); + } return await updateSSHKeyById(input); } catch (error) { throw new TRPCError({ diff --git a/packages/builders/src/db/schema/github.ts b/packages/builders/src/db/schema/github.ts index 1c2d8983..b8f739ce 100644 --- a/packages/builders/src/db/schema/github.ts +++ b/packages/builders/src/db/schema/github.ts @@ -40,7 +40,6 @@ export const apiCreateGithub = createSchema.extend({ githubWebhookSecret: z.string().nullable(), gitProviderId: z.string().optional(), name: z.string().min(1), - authId: z.string().min(1), }); export const apiFindGithubBranches = z.object({