refactor(cloud): add validation to prevent access to resources from another admin

2025-06-26 18:27:59 +00:00 · 2024-10-03 19:48:49 -06:00
parent 8abeae5e63
commit ec1d6c7430
12 changed files with 250 additions and 90 deletions
--- a/packages/builders/src/db/schema/git-provider.ts
+++ b/packages/builders/src/db/schema/git-provider.ts
@@ -3,10 +3,10 @@ import { pgEnum, pgTable, text } from "drizzle-orm/pg-core";
 import { createInsertSchema } from "drizzle-zod";
 import { nanoid } from "nanoid";
 import { z } from "zod";
-import { auth } from "./auth";
 import { bitbucket } from "./bitbucket";
 import { github } from "./github";
 import { gitlab } from "./gitlab";
+import { admins } from "./admin";

 export const gitProviderType = pgEnum("gitProviderType", [
 	"github",
@@ -24,9 +24,9 @@ export const gitProvider = pgTable("git_provider", {
 	createdAt: text("createdAt")
 		.notNull()
 		.$defaultFn(() => new Date().toISOString()),
-	authId: text("authId")
-		.notNull()
-		.references(() => auth.id, { onDelete: "cascade" }),
+	adminId: text("adminId").references(() => admins.adminId, {
+		onDelete: "cascade",
+	}),
 });

 export const gitProviderRelations = relations(gitProvider, ({ one, many }) => ({
@@ -42,9 +42,9 @@ export const gitProviderRelations = relations(gitProvider, ({ one, many }) => ({
 		fields: [gitProvider.gitProviderId],
 		references: [bitbucket.gitProviderId],
 	}),
-	auth: one(auth, {
-		fields: [gitProvider.authId],
-		references: [auth.id],
+	admin: one(admins, {
+		fields: [gitProvider.adminId],
+		references: [admins.adminId],
 	}),
 }));

--- a/packages/builders/src/db/schema/notification.ts
+++ b/packages/builders/src/db/schema/notification.ts
@@ -3,6 +3,7 @@ import { boolean, integer, pgEnum, pgTable, text } from "drizzle-orm/pg-core";
 import { createInsertSchema } from "drizzle-zod";
 import { nanoid } from "nanoid";
 import { z } from "zod";
+import { admins } from "./admin";

 export const notificationType = pgEnum("notificationType", [
 	"slack",
@@ -38,6 +39,9 @@ export const notifications = pgTable("notification", {
 	emailId: text("emailId").references(() => email.emailId, {
 		onDelete: "cascade",
 	}),
+	adminId: text("adminId").references(() => admins.adminId, {
+		onDelete: "cascade",
+	}),
 });

 export const slack = pgTable("slack", {
@@ -96,6 +100,10 @@ export const notificationsRelations = relations(notifications, ({ one }) => ({
 		fields: [notifications.emailId],
 		references: [email.emailId],
 	}),
+	admin: one(admins, {
+		fields: [notifications.adminId],
+		references: [admins.adminId],
+	}),
 }));

 export const notificationsSchema = createInsertSchema(notifications);
@@ -118,6 +126,7 @@ export const apiCreateSlack = notificationsSchema
 export const apiUpdateSlack = apiCreateSlack.partial().extend({
 	notificationId: z.string().min(1),
 	slackId: z.string(),
+	adminId: z.string().optional(),
 });

 export const apiTestSlackConnection = apiCreateSlack.pick({
@@ -143,6 +152,7 @@ export const apiCreateTelegram = notificationsSchema
 export const apiUpdateTelegram = apiCreateTelegram.partial().extend({
 	notificationId: z.string().min(1),
 	telegramId: z.string().min(1),
+	adminId: z.string().optional(),
 });

 export const apiTestTelegramConnection = apiCreateTelegram.pick({
@@ -167,6 +177,7 @@ export const apiCreateDiscord = notificationsSchema
 export const apiUpdateDiscord = apiCreateDiscord.partial().extend({
 	notificationId: z.string().min(1),
 	discordId: z.string().min(1),
+	adminId: z.string().optional(),
 });

 export const apiTestDiscordConnection = apiCreateDiscord.pick({
@@ -195,6 +206,7 @@ export const apiCreateEmail = notificationsSchema
 export const apiUpdateEmail = apiCreateEmail.partial().extend({
 	notificationId: z.string().min(1),
 	emailId: z.string().min(1),
+	adminId: z.string().optional(),
 });

 export const apiTestEmailConnection = apiCreateEmail.pick({