From 1aa7c654f068671c745d7ca566a72626020c2688 Mon Sep 17 00:00:00 2001
From: Maidul Islam <maidul98@gmail.com>
Date: Fri, 7 Apr 2023 12:06:43 -0700
Subject: [PATCH] Add simple validation checks

---
 backend/src/controllers/v1/secretsFolderController.ts | 9 +++++++++
 backend/src/routes/v1/secretsFolder.ts                | 6 ++++++
 2 files changed, 15 insertions(+)

diff --git a/backend/src/controllers/v1/secretsFolderController.ts b/backend/src/controllers/v1/secretsFolderController.ts
index b3bed29066..2e856c2a40 100644
--- a/backend/src/controllers/v1/secretsFolderController.ts
+++ b/backend/src/controllers/v1/secretsFolderController.ts
@@ -3,6 +3,8 @@ import { Secret } from '../../models';
 import Folder from '../../models/folder';
 import { BadRequestError } from '../../utils/errors';
 import { ROOT_FOLDER_PATH, getFolderPath, getParentPath, normalizePath, validateFolderName } from '../../utils/folder';
+import { ADMIN, MEMBER } from '../../variables';
+import { validateMembership } from '../../helpers/membership';
 
 // TODO
 // verify workspace id/environment
@@ -63,6 +65,13 @@ export const deleteFolder = async (req: Request, res: Response) => {
     throw BadRequestError({ message: "The folder doesn't exist" })
   }
 
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: folder.workspace as any,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
   while (queue.length > 0) {
     const currentFolderId = queue.shift();
 
diff --git a/backend/src/routes/v1/secretsFolder.ts b/backend/src/routes/v1/secretsFolder.ts
index de38393b0e..07dc058021 100644
--- a/backend/src/routes/v1/secretsFolder.ts
+++ b/backend/src/routes/v1/secretsFolder.ts
@@ -2,16 +2,22 @@ import express, { Request, Response } from 'express';
 const router = express.Router();
 import {
 	requireAuth,
+	requireWorkspaceAuth,
 	validateRequest
 } from '../../middleware';
 import { body, param } from 'express-validator';
 import { createFolder, deleteFolder } from '../../controllers/v1/secretsFolderController';
+import { ADMIN, MEMBER } from '../../variables';
 
 router.post(
 	'/',
 	requireAuth({
 		acceptedAuthModes: ['jwt']
 	}),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER],
+		location: 'body'
+	}),
 	body('workspaceId').exists(),
 	body('environment').exists(),
 	body('folderName').exists(),