Make the device's device_service_environment_variable permission stri…

…cter Change-type: patch
balena-io · Nov 26, 2024 · 358ab2d · 358ab2d
1 parent c52d6ac
commit 358ab2d
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
@@ -121,9 +121,12 @@ export const DEVICE_API_KEY_PERMISSIONS = [
 	'resin.service_environment_variable.read?service/canAccess()',
 
 	'resin.device_service_environment_variable.read?device/canAccess()',
+	// Should be created for the device itself, and it should be for a service of the app that the device belongs to.
+	`resin.device_service_environment_variable.create?device/any(d:${matchesNonFrozenDeviceActor('d')}) and service/any(s:s/application/any(a:a/owns__device/any(d:d/${matchesActor})))`,
 	...writePerms(
 		'resin.device_service_environment_variable',
 		`device/any(d:${matchesNonFrozenDeviceActor('d')})`,
+		['update', 'delete'],
 	),
 
 	'resin.image__is_part_of__release.read?is_part_of__release/canAccess()',