fix(authentication, grpc-sdk): team owner deletion bug (#1097)

* fix: team owner deletion bug fix: bug * fix(grpc-sdk,authentication): add version to team resource * fix(authentication): remove unnecessary relation * fix: inherit permission
ConduitPlatform · Jul 29, 2024 · 84c0a4a · 84c0a4a
1 parent edbc1f0
commit 84c0a4a
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 0 deletions.
diff --git a/libraries/grpc-sdk/src/classes/ConduitAuthorizedResource.ts b/libraries/grpc-sdk/src/classes/ConduitAuthorizedResource.ts
@@ -4,11 +4,13 @@ export class ConduitAuthorizedResource {
   readonly name: string;
   readonly relations: Resource_Relation[] = [];
   readonly permissions: Resource_Permission[] = [];
+  readonly version?: number;
 
   constructor(
     name: string,
     relations: { [field: string]: string | string[] },
     permissions: { [action: string]: string | string[] },
+    version?: number,
   ) {
     this.name = name;
     this.relations = Object.keys(relations).map(relation => {
@@ -27,5 +29,6 @@ export class ConduitAuthorizedResource {
           : ([permissions[permission]] as string[]),
       };
     });
+    this.version = version;
   }
 }
diff --git a/modules/authentication/src/authz/index.ts b/modules/authentication/src/authz/index.ts
@@ -19,5 +19,7 @@ export const Team = new ConduitAuthorizedResource(
     manageMembers: ['owner', 'owner->edit'],
     viewSubTeams: ['owner', 'readAll', 'editAll', 'owner->read', 'owner->edit'],
     manageSubTeams: ['owner', 'editAll', 'owner->edit'],
+    deleteOwners: ['owner', 'owner->deleteOwners'],
   },
+  1,
 );
diff --git a/modules/authentication/src/handlers/team.ts b/modules/authentication/src/handlers/team.ts
@@ -334,12 +334,38 @@ export class TeamsHandler implements IAuthenticationStrategy {
         'User does not have permission to remove team members',
       );
     }
+    let deletionError = false;
     for (const member of members) {
+      const relation = await this.grpcSdk.authorization!.findRelation({
+        subject: 'User:' + member,
+        resource: 'Team:' + teamId,
+      });
+      if (!relation || relation.relations.length === 0) {
+        continue;
+      }
+      const memberRole = relation.relations[0].relation;
+      if (memberRole === 'owner') {
+        const allowed = await this.grpcSdk.authorization!.can({
+          subject: 'User:' + user._id,
+          actions: ['deleteOwners'],
+          resource: 'Team:' + teamId,
+        });
+        if (!allowed.allow) {
+          deletionError = true;
+          continue;
+        }
+      }
       await this.grpcSdk.authorization!.deleteAllRelations({
         subject: 'User:' + member,
         resource: 'Team:' + teamId,
       });
     }
+    if (deletionError) {
+      throw new GrpcError(
+        status.PERMISSION_DENIED,
+        'One or more members were not deleted',
+      );
+    }
     return 'Users removed from team';
   }