mirror of
https://github.com/Dokploy/dokploy
synced 2025-06-26 18:27:59 +00:00
refactor(cloud): validate all the routes to prevent get access from private resource
This commit is contained in:
@@ -16,7 +16,7 @@ import {
|
||||
} from "@/server/db/schema";
|
||||
|
||||
import { TRPCError } from "@trpc/server";
|
||||
import { desc, eq, sql } from "drizzle-orm";
|
||||
import { and, desc, eq, sql } from "drizzle-orm";
|
||||
import type { AnyPgColumn } from "drizzle-orm/pg-core";
|
||||
|
||||
import {
|
||||
@@ -45,7 +45,6 @@ export const projectRouter = createTRPCRouter({
|
||||
|
||||
return project;
|
||||
} catch (error) {
|
||||
console.log(error);
|
||||
throw new TRPCError({
|
||||
code: "BAD_REQUEST",
|
||||
message: "Error to create the project",
|
||||
@@ -62,8 +61,11 @@ export const projectRouter = createTRPCRouter({
|
||||
|
||||
await checkProjectAccess(ctx.user.authId, "access", input.projectId);
|
||||
|
||||
const service = await db.query.projects.findFirst({
|
||||
where: eq(projects.projectId, input.projectId),
|
||||
const project = await db.query.projects.findFirst({
|
||||
where: and(
|
||||
eq(projects.projectId, input.projectId),
|
||||
eq(projects.adminId, ctx.user.adminId),
|
||||
),
|
||||
with: {
|
||||
compose: {
|
||||
where: buildServiceFilter(compose.composeId, accesedServices),
|
||||
@@ -92,15 +94,22 @@ export const projectRouter = createTRPCRouter({
|
||||
},
|
||||
});
|
||||
|
||||
if (!service) {
|
||||
if (!project) {
|
||||
throw new TRPCError({
|
||||
code: "NOT_FOUND",
|
||||
message: "Project not found",
|
||||
});
|
||||
}
|
||||
return service;
|
||||
return project;
|
||||
}
|
||||
const project = await findProjectById(input.projectId);
|
||||
|
||||
if (project.adminId !== ctx.user.adminId) {
|
||||
throw new TRPCError({
|
||||
code: "UNAUTHORIZED",
|
||||
message: "You are not authorized to access this project",
|
||||
});
|
||||
}
|
||||
return project;
|
||||
}),
|
||||
all: protectedProcedure.query(async ({ ctx }) => {
|
||||
@@ -170,32 +179,38 @@ export const projectRouter = createTRPCRouter({
|
||||
if (ctx.user.rol === "user") {
|
||||
await checkProjectAccess(ctx.user.authId, "delete");
|
||||
}
|
||||
const project = await deleteProject(input.projectId);
|
||||
const currentProject = await findProjectById(input.projectId);
|
||||
if (currentProject.adminId !== ctx.user.adminId) {
|
||||
throw new TRPCError({
|
||||
code: "UNAUTHORIZED",
|
||||
message: "You are not authorized to delete this project",
|
||||
});
|
||||
}
|
||||
const deletedProject = await deleteProject(input.projectId);
|
||||
|
||||
return project;
|
||||
return deletedProject;
|
||||
} catch (error) {
|
||||
throw new TRPCError({
|
||||
code: "BAD_REQUEST",
|
||||
message: "Error to delete this project",
|
||||
cause: error,
|
||||
});
|
||||
throw error;
|
||||
}
|
||||
}),
|
||||
update: protectedProcedure
|
||||
.input(apiUpdateProject)
|
||||
.mutation(async ({ input }) => {
|
||||
.mutation(async ({ input, ctx }) => {
|
||||
try {
|
||||
const project = updateProjectById(input.projectId, {
|
||||
const currentProject = await findProjectById(input.projectId);
|
||||
if (currentProject.adminId !== ctx.user.adminId) {
|
||||
throw new TRPCError({
|
||||
code: "UNAUTHORIZED",
|
||||
message: "You are not authorized to update this project",
|
||||
});
|
||||
}
|
||||
const project = await updateProjectById(input.projectId, {
|
||||
...input,
|
||||
});
|
||||
|
||||
return project;
|
||||
} catch (error) {
|
||||
throw new TRPCError({
|
||||
code: "BAD_REQUEST",
|
||||
message: "Error to update this project",
|
||||
cause: error,
|
||||
});
|
||||
throw error;
|
||||
}
|
||||
}),
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user